As quickly as possible, I'm trying to get my name servers upgraded, but also, of course, to the extent I am able, I'm trying to understand the current issue.
I read the following very helpful document: http://www.isc.org/sw/bind/docs/FAQ-about-random-query-issue.php but it raises a couple of questions for me. Specifically, I am almost exclusively a FreeBSD user. Given that, what's the Most Right Thing To Do here? I see the following comment in the above document: It is recommend it contain at least 16384 ports (14 bits of entropy). 12. What about default port ranges defined by my system? In the -P1 releases, the UDP range is 1024 through 65535. In the betas, a few BSD operating systems sysctl tunables are used at named startup. On other systems, the range is 1024 through 65535. OK, so which specific tunable(s) are important here? Would that be one of these two? net.inet.ip.portrange.first net.inet.ip.portrange.highfirst If so, which one, specifically? Second question: Regardless of which of the above two tunables is the Right One, would be be advisable to reduce the default value of whichever of the two is "significant" in this context, i.e. from the current default of 49152 to, say, 32767? (Doing that would further increase the "entropy" of the query ports and thus further reduce risks, right?)
