Subject: Re: bind (was: Is my ipfilter list secure?)
To: Roger Fischer <roger@aileron.org>
From: Steven M. Bellovin <smb@research.att.com>
List: netbsd-users
Date: 04/26/2002 15:37:34
In message <20020426192039.B472F7B4B@berkshire.research.att.com>, "Steven M. Be
llovin" writes:

>>
>
>
>I'm not sure about bind 8, but with bind 9, the query port is *not* 53. 
>I use the following on my laptop:
>
>options {
>        directory "/etc/namedb";
>        listen-on { 127.0.0.1; 172.16.212.1; };
>        query-source port 60000;
>        allow-query { 127.0.0.1; 172.16.212.0/24; };
>};
>
>(The 172.16 stuff is how to set it up on a gateway machine.)
>

Following up my own post -- I should add that I also use an ipfilter 
rule to block outside access to the non-existent port.  Apart from the 
belt-and-suspenders philosophy, this guards against someone on the same 
link sending me a forged 127.1->127.1 packet, hand-built and sent over 
the wire to my MAC address.

		--Steve Bellovin, http://www.research.att.com/~smb
		Full text of "Firewalls" book now at http://www.wilyhacker.com