Internal recursive nameserver access
Jim Reid
jim at rfc1035.com
Wed Aug 27 07:44:41 UTC 2003
>>>>> "Ladislav" == Ladislav Vobr <lvobr at ies.etisalat.ae> writes:
Ladislav> This was my target to get some best available setup of
Ladislav> acls in such a conditions. Jim has suggested to have all
Ladislav> random ports open just to be able to run dig on the
Ladislav> nameserver itself to query remote nameservers from time
Ladislav> to time, which seemed to me not justified enough, since
Ladislav> the server does not need them, and because of the
Ladislav> occasional dig I will not expose all udp ports.
I did not suggest that at all. I did say that IF you wanted to use dig
across the firewall, you need to accept that the query will come from
a random port and that implies random ports have to be accessible for
the inbound reply. Peter elaborated on that by talking about stateful
firewalls. ie It lets the query out but keeps track of the details
(port numbers and addresses, maybe the query ID and name) so that only
a reply to that query gets allowed in. I also explained -- and you
don't seem to have understood -- that constraining DNS traffic to use
specific ports "for security" is not a wise or particularly effective
policy. [Your externally resolving name servers shouldn't be running
anything other than named and maybe sshd. That means there won't be
any other ports/services for malicious traffic to attack.] A stateful
firewall makes port filtering for DNS traffic unnecessary anyway.
Ladislav> Many people replied, but nobody said what to do in the
Ladislav> condition I have, which I believe are not rare at
Ladislav> all. Even in the reference Jim has mentioned "Building
Ladislav> Internet Firewalls, second edition, Chapter 20 - DNS"
Ladislav> there is nothing about query-source option of bind, or
Ladislav> fw states of DNS upd traffic, it generally says source
Ladislav> port random, deal with it.
Indeed. So deal with it.
More information about the bind-users
mailing list