[Dnsmasq-discuss] max ports option
Simon Kelley
simon at thekelleys.org.uk
Fri Feb 26 09:41:10 GMT 2010
Don Muller wrote:
> There is a way to specify what port to use for outbound DNS queries via
> query-port=<query_port>. There is a way to specify the minimum port
> number to use via min-port=<port>. But unless I missed it there is no
> way to specify a max port or range of ports to use. If you added a
> max-port=<port> it would allow you to specify the max port number to use
> and if used in conjunction with min-port would then specify a range of
> port numbers to use. This would be very useful for controlling port
> usage on the system.
>
>
>
> What do you think?
As far as I remember, I didn't add this so as to discourage people from
setting a limited range of ports - the reason for using random ports is
for security - to spoof a DNS reply an attacker has to guess the
query-id _and_ the port number. The larger the range of possible port
numbers, the harder the guessing. Min-port is there to accommodate
firewalls which block low ports that may have sensitive things listening
on them, but as much as possible of the port range should be available.
If you want to use a limited port-range, and are willing to accept the
increased vulnerability to spoofing attack, you may a will use a single
port, which is still available via query-port, as you noted.
That's very much a judgment call, and I'm willing to hear arguments to
the contrary.
>Something that can be easily added?
Trivial to add, if it's determined to be a Good Thing.
Cheers,
Simon
More information about the Dnsmasq-discuss
mailing list