On 2017/01/16 15:37, Damian McGuckin wrote: > On Mon, 16 Jan 2017, Stuart Henderson wrote: > > > In normal operations NSD _does_ run on port 53. > > Yes. But if you want both NSD and UNBOUND running on the same box, things > need to change.
Not necessarily, because they can run on different addresses. For example you could have unbound bound to an internal address and NSD listening to an external one. > > Prior to the change to make -p an error, but after the dns pledge was > > added, -p was allowed but ignored with a warning. See the commit adding > > SOCK_DNS. > > On my OpenBSD 5.1 system, '-p' was still allowed, and it had a pledge list > of "stdio dns". When 'rpath' was added to the pledge list, it was at this > time at which '-p' was effectively disabled. I'm not sure how you're fetching code to see this, but if it's showing you pledge in 5.1 then something is wrong with it, it's a much newer addition. > > Alternatively you could use the version of dig from packages which > > doesn't use pledge: > > > > pkg_add isc-bind > > /usr/local/bin/dig -p > > > > However, because this one doesn't use pledge at all, bugs are a bigger risk. (I should also add that it's a much newer version and bugs have been fixed since 9.4.2-P2 which is in base). > I thought the whole idea of using NSD/UNBOUND is to avoid installing > 'isc_bind'. Well, the tools you're using for this are part of BIND... > I still cannot see what risk there is on qujerying a DNS on a non-standard > port. Enlighten me please? None, if that's what you are expecting to do. Plenty, if the code has been subverted to make an unexpected network connection.