分类: 系统运维
2011-04-02 10:56:38
dns 服务器 query-source port
很老的一个服务器升级以后,提示:using specific port suppresses port randomization and can be insecure.无法启动,查看下named.conf:
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of always asked
* questions using port 53, but BIND versions 8 and later
* use a pseudo-random unprivileged UDP port by default.
*/
query-source address * port 53;
可以看到,bind早期的版本需要通过53端口查询,bind 8之后的默认就是通过一个伪随机的UDP端口了,所以解决办法很简单:
把query-source address * port 53;注释掉,加上dnssec-enable yes;