• # Auto réponse (et flagellation)

    Posté par . En réponse au journal dnsmasq, un petit serveur DNS. Évalué à 6.

    Evidemment, à force de lire "Cherche sur Google pour trouver une réponse", j'ai même pas lu la FAQ qui contient la réponse à ma question métaportologique du port 1113 :
    Q: Why does dnsmasq open UDP ports >1024 as well as port 53.
     Is this a security problem/trojan/backdoor?
    A: The high ports that dnsmasq opens is for replies from the upstream
     nameserver(s). Queries from dnsmasq to upstream nameservers are sent
     from these ports and replies received to them. The reason for doing this is
     that most firewall setups block incoming packets _to_ port 53, in order
     to stop DNS queries from the outside world. If dnsmasq sent its queries
     from port 53 the replies would be _to_ port 53 and get blocked.
     This is not a security hole since dnsmasq will only accept replies to that
     port: queries are dropped. The replies must be to oustanding queries
     which dnsmasq has forwarded, otherwise they are dropped too.
     
     Addendum: dnsmasq now has the option "query-port" (-Q), which allows
     you to specify the UDP port to be used for this purpose. If not
     specified, the operating system will select an available port number
     just as it did before.