7.1 Do Not Define a Static Source Port


BIND can be configured to always use the same source port when communicating with other DNS servers. This capability is made possible through the query-source port option, and the query-source-v6 port option. It is recommended that the source port be omitted if the query-source option is used, or that the port be specified as a *, so that the port will not be a static port number.


DNS attacks which involve spoofing a bogus DNS reply may require the attacker to guess the source port number of the request, if the attacker is unable to see the initial DNS query. Making the source port static makes the attack easier, as it eliminates the effort of getting the correct destination port number for the spoofed reply. Instead of a static source port, the port number should be selected randomly from the client ephemeral ports.


Either remove the port specification from the query-source or the query-source-v6 option or use an * for the port number.

Default Value:

The default is to not use a static source port for queries.

See Also


Item Details


References: 800-53|SI-4, CSCv6|9, CSCv7|9.2

Plugin: Unix

Control ID: 2546428d0592871876465c33c3ddea3d277927ccf72210840b1f2f23efc5548f