OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: DNS control port additions to /etc/services

From: Stuart Henderson (stuspacehopper.org)
Date: Tue Jul 15 2014 - 10:05:24 CDT


On 2014/07/15 16:35, Antoine Jacoutot wrote:
> > I'll discuss tweaks to the diff below but I'm in two minds about whether
> > we want it. We don't enable the control socket in unbound by default at
> > present (there is a diff somewhere to move this to unix domain sockets
> > which we'd much prefer over network sockets..) Be aware, there is a
> > downside to adding entries to /etc/services on OpenBSD. It isn't just a
> > handy list of ports, it is used to populate net.inet.tcp.baddynamic and
> > net.inet.udp.baddynamic which are used to block off ports from dynamic
> > port allocation.
>
> Absolutely!
>
> > > > +named-rndc 953/tcp # Domain Name System (DNS) BIND RNDC Service
> > > > +named-rndc 953/udp # Domain Name System (DNS) BIND RNDC Service
> >
> > BIND uses TCP for the control socket, so if this does go in, please
> > do not list the UDP one.
>
> Well it depends what policy we want. Looking at the file most entries have both even if only one protocol is effectively in use.

Looking at the file though, most of those are older entries - I think
new entries should be specific, and where we have knowledge of the
protocols we should remove silly old ones. BGP, Gopher, HTTP, POP,
and IMAP over UDP look like good candidates for example..

> > 12345678901234567890123456789012345678901234567890123456789012345678901234567890
> > > > imaps 993/tcp # imap4 protocol over TLS/SSL
> > > > imaps 993/udp # imap4 protocol over TLS/SSL
> > > > pop3s 995/tcp spop3 # pop3 protocol over TLS/SSL
> > > > -301,6 +303,8 spamd 8025/tcp # spamd(8)
> > > > spamd-sync 8025/udp # spamd(8) synchronisation
> > > > spamd-cfg 8026/tcp # spamd(8) configuration
> > > > dhcpd-sync 8067/udp # dhcpd(8) synchronisation
> > > > +nsd-cntl 8952/tcp # NSD authoritative DNS server control
> > > > +unbound-cntl 8953/tcp # Unbound validating, recursive, and caching DNS server control
> > > > hunt 26740/udp # hunt(6)
> >
> > +1 on sperreault's comment to use iana names. And let's try not
> > to go over 80 columns unnecessarily please.

Oh, 8953 is in already.