Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: Non standard ports on DNS Slave  (Read 69 times)

taylorcs89

  • Newbie
  • *
  • Posts: 1
Non standard ports on DNS Slave
« on: May 19, 2020, 04:58:40 PM »

I have a hidden master server, using dns.he.net to slave to it.  However it only accepts default port of 53.  Is there a way to use a non standard port?
Logged

passport123

  • Newbie
  • *
  • Posts: 36
Re: Non standard ports on DNS Slave
« Reply #1 on: May 20, 2020, 07:21:04 AM »

I'm not sure the reason behind your need, however, I did have a similar need, i.e., I did not want random hosts/scanners connecting to the hidden master.

I resolved that need by configuring the firewall on the hidden master to allow inbound connections only from the HE secondary servers, 216.218.133.2 and 2001:470:600::2.  Outbound connections to any IP were already allowed.

That's been working fine for me.

« Last Edit: May 20, 2020, 07:36:47 AM by passport123 »
Logged

snarked

  • Hero Member
  • *****
  • Posts: 774
Re: Non standard ports on DNS Slave
« Reply #2 on: May 21, 2020, 10:31:52 AM »

I agree with the above solution.  AXFRs should also be restricted at the serverís application layer.

A nonstandard port isnít an option by using dns data.  To access a SRV record, one must make a DNS query to fetch it - so how is one going to do that to know to use the nonstandard port to get the record to get that info?  One canít glue SRV records to a parent zone.

With BIND, the server statement doesnít have a port option.  Youíre on your own as to other software.

Using DANE with DNS, one has to fetch the SRV record (and TLSA records) for ď_853._tcp.DNS....Ē via port 53 unencrypted before using TLS-secured DNS queries.  Same problem as above.

Even with all of that, to expect HE to do something nonstandard is dreaming....
« Last Edit: May 21, 2020, 10:33:42 AM by snarked »
Logged