On Mon, 16 Jan 2017, Stuart Henderson wrote:
In normal operations NSD _does_ run on port 53.
Yes. But if you want both NSD and UNBOUND running on the same box, things
need to change.
Prior to the change to make -p an error, but after the dns pledge was
added, -p was allowed but ignored with a warning. See the commit adding
SOCK_DNS.
On my OpenBSD 5.1 system, '-p' was still allowed, and it had a pledge list
of "stdio dns". When 'rpath' was added to the pledge list, it was at this
time at which '-p' was effectively disabled.
ADSL ISPs here in Australia have some (cheap) home-user connections with
ports blocked, while for business-user connections, ports are not blocked.
But they regularly screw up by blocking ports for business users so I need
a tool to test. So I need an internet testing tool.
Maybe I need more enlightening on my poor understanding of pledge as to
why restricting the port number to only 53 is needed.
Some people just use dig for looking up DNS records and I think for them
the dns pledge restrictions are a useful way to limit bug damage.
Pledge is great. But I cannot see the link between pledge and killing off
the '-p' option. Maybe I am getting senile, or just too much summer sun on
my brain.
Others use dig as a DNS server debugging tool and I think in those cases
the port restriction (and forcing traffic through rebound if it's running)
can get in the way.
It did. I thought for a while I was doing something stupid or had really
screwed up the firewall's 'pf' configuration.
I have NSD listening on 8053.
With 'pass ... port 53 rdr-to (pppoe0) port 8053' in pf.conf, a telnet to
port 53 failed. But doing 'pass ... port 8080 rdr-to (pppoe0) port 8053'
in 'pf.conf' and telnet to port 8080, worked. So I was fairly sure my
'pf.conf' was not flawed.
But using 'dig -p8053', or any other ports that I used, was an invaluable
aid in being able to prove conclusively that the ISP had messed up. Other
testing was going to be hairy, and probably not conclusive.
Alternatively you could use the version of dig from packages which
doesn't use pledge:
pkg_add isc-bind
/usr/local/bin/dig -p
However, because this one doesn't use pledge at all, bugs are a bigger risk.
I thought the whole idea of using NSD/UNBOUND is to avoid installing
'isc_bind'.
I still cannot see what risk there is on qujerying a DNS on a non-standard
port. Enlighten me please?
Regards - Damian
Pacific Engineering Systems International, 277-279 Broadway, Glebe NSW 2037
Ph:+61-2-8571-0847 .. Fx:+61-2-9692-9623 | unsolicited email not wanted here
Views & opinions here are mine and not those of any past or present employer
