• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Non standard ports on DNS Slave

Started by taylorcs89, May 19, 2020, 04:58:40 PM

Previous topic - Next topic

taylorcs89

I have a hidden master server, using dns.he.net to slave to it.  However it only accepts default port of 53.  Is there a way to use a non standard port?

passport123

#1
I'm not sure the reason behind your need, however, I did have a similar need, i.e., I did not want random hosts/scanners connecting to the hidden master.

I resolved that need by configuring the firewall on the hidden master to allow inbound connections only from the HE secondary servers, 216.218.133.2 and 2001:470:600::2.  Outbound connections to any IP were already allowed.

That's been working fine for me.


snarked

#2
I agree with the above solution.  AXFRs should also be restricted at the server's application layer.

A nonstandard port isn't an option by using dns data.  To access a SRV record, one must make a DNS query to fetch it - so how is one going to do that to know to use the nonstandard port to get the record to get that info?  One can't glue SRV records to a parent zone.

With BIND, the server statement doesn't have a port option.  You're on your own as to other software.

Using DANE with DNS, one has to fetch the SRV record (and TLSA records) for "_853._tcp.DNS...." via port 53 unencrypted before using TLS-secured DNS queries.  Same problem as above.

Even with all of that, to expect HE to do something nonstandard is dreaming....