[plug] OT: latest worm affecting bind
Bill Kenworthy
billk at iinet.net.au
Fri Mar 30 21:36:25 WST 2001
I went into this a bit some time ago - apparently new versions of bind
use an unprivaliged port but this wasnt always so. ipchains logging on
my machine often shows many attempts on port 53 soon after the dialup
goes online and sometimes at other times. These soon stop and
everything works smoothly. If I enable ipchains to allow the connects
through, I actually get few/none logged - I suspect that one reply is
enough so the software doesnt keep trying servers until it finds one on
an unprivaledged port that it receives a reply from (which then can
connect, stopping the process). Hard to prove and I have not had the
time to confirm if this is the case. Also, in some cases, restrictive
firewalls require that bind be set to use port 53 only so it can get
through at all.
BillK
> Yeah, sorry, you're right. What I was thinking of is that you need to
> allow incoming UDP packets *from* port 53 which effectively means that
> you're opening yourself up to any UDP packets anyone cares to send
> (within the restrictions of any other rules).
More information about the plug
mailing list