Hurricane Electric's IPv6 Tunnel Broker Forums

DNS.HE.NET Topics => General Questions & Suggestions => Topic started by: taylorcs89 on May 19, 2020, 04:58:40 PM

Title: Non standard ports on DNS Slave
Post by: taylorcs89 on May 19, 2020, 04:58:40 PM
I have a hidden master server, using dns.he.net to slave to it.  However it only accepts default port of 53.  Is there a way to use a non standard port?
Title: Re: Non standard ports on DNS Slave
Post by: passport123 on May 20, 2020, 07:21:04 AM
I'm not sure the reason behind your need, however, I did have a similar need, i.e., I did not want random hosts/scanners connecting to the hidden master.

I resolved that need by configuring the firewall on the hidden master to allow inbound connections only from the HE secondary servers, 216.218.133.2 and 2001:470:600::2.  Outbound connections to any IP were already allowed.

That's been working fine for me.

Title: Re: Non standard ports on DNS Slave
Post by: snarked on May 21, 2020, 10:31:52 AM
I agree with the above solution.  AXFRs should also be restricted at the serverís application layer.

A nonstandard port isnít an option by using dns data.  To access a SRV record, one must make a DNS query to fetch it - so how is one going to do that to know to use the nonstandard port to get the record to get that info?  One canít glue SRV records to a parent zone.

With BIND, the server statement doesnít have a port option.  Youíre on your own as to other software.

Using DANE with DNS, one has to fetch the SRV record (and TLSA records) for ď_853._tcp.DNS....Ē via port 53 unencrypted before using TLS-secured DNS queries.  Same problem as above.

Even with all of that, to expect HE to do something nonstandard is dreaming....