summaryrefslogtreecommitdiffstats
path: root/etc/namedb
diff options
context:
space:
mode:
Diffstat (limited to 'etc/namedb')
-rw-r--r--etc/namedb/named.conf20
1 files changed, 13 insertions, 7 deletions
diff --git a/etc/namedb/named.conf b/etc/namedb/named.conf
index 865eee0..dd2d115 100644
--- a/etc/namedb/named.conf
+++ b/etc/namedb/named.conf
@@ -46,13 +46,19 @@ options {
};
*/
/*
- * If there is a firewall between you and nameservers you want
- * to talk to, you might need to uncomment the query-source
- * directive below. Previous versions of BIND always asked
- * questions using port 53, but BIND versions 8 and later
- * use a pseudo-random unprivileged UDP port by default.
- */
- // query-source address * port 53;
+ Modern versions of BIND use a random UDP port for each outgoing
+ query by default in order to dramatically reduce the possibility
+ of cache poisoning. All users are strongly encouraged to utilize
+ this feature, and to configure their firewalls to accommodate it.
+
+ AS A LAST RESORT in order to get around a restrictive firewall
+ policy you can try enabling the option below. Use of this option
+ will significantly reduce your ability to withstand cache poisoning
+ attacks, and should be avoided if at all possible.
+
+ Replace NNNNN in the example with a number between 49160 and 65530.
+ */
+ // query-source address * port NNNNN;
};
// If you enable a local name server, don't forget to enter 127.0.0.1
OpenPOWER on IntegriCloud