Login or Register to Ask a Question and Join Our Community


AIX

Forcing named 9 to use a fixed ephemeral port range

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Operating Systems AIX Forcing named 9 to use a fixed ephemeral port range
# 1  
Old 02-02-2018
Forcing named 9 to use a fixed ephemeral port range
I'll start with I'm not an AIX expert, I inherited a lot of AIX servers to maintain.

My problem is on AIX 7.1 TL4 SP4 environments. I'm running named as a DNS forwarder only to internal DNS servers.

These AIX servers have a customized UDP ephemeral port range to avoid conflicting with the primary application running on them that defaults to a portion of the typical ephemeral range.

Since configuring named, I've seen that named is ignoring the OS configured ephemeral range.

The OS restricted UDP range is: 32768 to 49999.
I've seen requests from named using source ports above 49999.

After googling, the only article I can find that references named/bind and ephemeral ports is a page from ISC related to BIND 9. There's a setting "use-v4-udp-ports { range 1024 65535; };" that forces named to use a fixed UDP range for source ports. But the IBM documentation on named doesn't cover this option.
I tried putting the setting onto named.conf on a test system but now named won't start and no errors are logged.
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. UNIX for Beginners Questions & Answers

Bash script, find the next closed (not in use) port from some port range.

hi, i would like to create a bash script that check which port in my Linux server are closed (not in use) from a specific range, port range (3000-3010). the print output need to be only 1 port, and it will be nice if the output will be saved as a variable or in same file. my code is: ... (2 Replies)
Discussion started by: yossi
2 Replies

2. Solaris

How to find port number wwn of particular port on dual port HBA,?

please find the below o/p for your reference bash-3.00# fcinfo hba-port HBA Port WWN: 21000024ff295a34 OS Device Name: /dev/cfg/c2 Manufacturer: QLogic Corp. Model: 375-3356-02 Firmware Version: 05.03.02 FCode/BIOS Version: BIOS: 2.02; fcode: 2.01;... (3 Replies)
Discussion started by: sb200
3 Replies

3. Red Hat

Which is the effective ephemeral port range in Linux 2.6 for this set up?

In my Linux system ephemeral port range is showing different ranges as follows $ cat /proc/sys/net/ipv4/ip_local_port_range 32768 61000  cat /etc/sysctl.conf | grep net.ipv4.ip_local_port_range net.ipv4.ip_local_port_range = 9000 65500 Which will be the effective ephemeral port... (5 Replies)
Discussion started by: steephen
5 Replies

4. Programming

Forcing a write to a file without newline?

Hello, I am writing a program which runs with root privileges, and it creates a child with lowered privileges and has to redirect it's stdout and stderr to a file and then run bash. The problem is, whenever I read this file, I want to see all of the current output, even when the program is still... (10 Replies)
Discussion started by: madd-games
10 Replies

5. UNIX for Dummies Questions & Answers

iptables to block port 25 only to a certain range

I want to limit all *outbound* traffic on eth0 (or all *.*) on port 25 to a specific (allowed) range... I.E. 192.168.1.5 (local ip) tries to connect to 1.2.3.4:25 (outside real world ip) It can proceed because 1.2.3.0/24 is the allowed range Now, 192.168.1.5 (local ip) tries to connect to... (1 Reply)
Discussion started by: holyearth
1 Replies

6. AIX

Allow port range using IPsec?

Hi Guys, Please could you tell me if it is possible to have a single rule/filter to allow a certain port range instead of a separate rule for each port? I'm sure it must be possible but I am unable to find the syntax. Thanks Chris (4 Replies)
Discussion started by: chrisstevens
4 Replies

7. AIX

TCP/UDP port range for default AIX NFS?

May I know what is the TCP/UCP port range for any default AIX NFS? Based on rpcinfo -p, I got the following output: program vers proto port service 100000 4 udp 111 portmapper 100000 3 udp 111 portmapper 100000 2 udp 111 portmapper 100000 4 ... (4 Replies)
Discussion started by: famasutika
4 Replies

8. UNIX for Advanced & Expert Users

Reserve Ephemeral ports

my apps use port 40001; however, for example, firstly, I ftp to other server, it made a high port locally, remote is port 21, unfortunately, it hit my port 40001 and my apps is unable to startup. This chance is very very little, but I hit it. Can resevse my port 40001? otherwise command don't use it (5 Replies)
Discussion started by: goodbid
5 Replies

9. Solaris

forcing users to su

Is there a way in solaris 9 to prevent a user to login via ssh, telnet, rlogin, and only be able to su as that user, for example have DBA joe blow login as jblow, and then su to oracle BUT not vice versa have DBA joe blow login as oralce (6 Replies)
Discussion started by: csaunders
6 Replies

10. UNIX for Advanced & Expert Users

forcing su on a user

This is for 3 os's, AIX, Solaris, and AIX, didnt want to post three seperate times on the same subject, anyways, I want to force the user MQM to su, i.e. not be able to rlogin/telnet to the box as user MQM, only login as there ID(chris for example) and su to MQM, does anyone know how to do this,... (4 Replies)
Discussion started by: csaunders
4 Replies
Login or Register to Ask a Question

LEARN ABOUT NETBSD

rfc6056

RFC6056(7)					       BSD Miscellaneous Information Manual						RFC6056(7)

NAME

     rfc6056 -- port randomization algorithms

DESCRIPTION

     The rfc6056 algorithms are used in order to randomize the port allocation of outgoing UDP packets, in order to provide protection from a
     series of ``blind'' attacks based on the attacker's ability to guess the sequence of ephemeral ports associated with outgoing packets.  For
     more information consult RFC 6056.

     The individual algorithms are described below:

   The RFC 6056 algorithms
     The following algorithms are available:

     bsd	   This is the default NetBSD port selection algorithm, which starts from anonportmax and proceeds decreasingly through the avail-
		   able ephemeral ports.

     random_start  Select ports randomly from the available ephemeral ports.  In case a collision with a local port is detected, the algorithm
		   proceeds decreasingly through the sequence of ephemeral ports until a free port is found.  Note that the random port selection
		   algorithms are not guaranteed to find a free port.

     random_pick   Select ports randomly from the available ephemeral ports.  In case a collision with a local port is detected the algorithm
		   tries selecting a new port randomly until a free port is found.

     hash	   Select ports using a md5(3) hash of the local address, the foreign address, and the foreign port.  Note that in the case of a
		   bind(2) call some of this information might be unavailable and the port selection is delayed until the time of a connect(2)
		   call, performed either explicitly or up calling sendto(2).

     doublehash    Select ports using a md5(3) hash of the local address, foreign address, and foreign port coupled with a md5(3) hash of the same
		   components obtained using a separate table that is associated with a subset of all outgoing connections.  The same considera-
		   tions regarding late connection as in the case of hash apply.

     randinc	   Use random increments in order to select the next port.

SYSCTL CONTROLS

     The following sysctl controls are available for selecting the default port randomization algorithm:

     sysctl name			 Type	   Changeable
     net.inet.udp.rfc6056.available	 string    no
     net.inet.udp.rfc6056.selected	 string    yes
     net.inet6.udp6.rfc6056.available	 string    no
     net.inet6.udp6.rfc6056.selected	 string    yes

SOCKET OPTIONS

     The socket option UDP_RFC6056ALGO at the IPPROTO_UDP level can be used with a string argument specifying the algorithm's name in order to
     select the port randomization algorithm for a specific socket.  For more info see setsockopt(2).

SEE ALSO

     setsockopt(2), sysctl(3), sysctl(7)

HISTORY

     The rfc6056 algorithms first appeared in NetBSD 6.0.

BSD
								  August 25, 2011							       BSD