Bind as cache DNS and firewall
Ulrich David
david.ulrich at siesa.ch
Thu Aug 19 06:21:18 UTC 2010
Hi Jason and Robert,
Sorry for my lack of details.
My firewall has stateful inspection enabled for all port :
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
I permit all outgoing packet. The opened incoming ports are 22 tcp (for all IP), 53 tcp and udp (filtered for my clients IP - they have public IPs... so... -).
I enable LOG for iptables but protect it against DoS. Doing this permit me to do some "inspection" :) .
I have a BIND 9.4.3-P5 (running on a linux). It's last stable release on my distribution. query-source is not enabled. My configuration is very simple :
options {
directory "/var/bind";
listen-on-v6 { none; };
listen-on { any; };
allow-query {
local;
my-clients;
my-servers;
my-private-network;
};
statistics-file "/var/bind/stats/named.stats";
version "None of your business";
blackhole { blacklist; };
max-cache-size 0;
recursive-clients 10000;
pid-file "/var/run/named/named.pid";
};
I have some zone (in-addr.arpa, . , localhost). I have logging and controls block too.
I can go up to 4000 queries/seconds (a lot of mailservers on my network).
named is running well. But I have some problems with some perharps "bogus" authoritative dns (ns51.domaincontrol.com andns52.domaincontrol.com for example)... so I decided to see if it's not my configuration which has a problem.
Regards,
David
Le 19 août 2010 à 04:23, Jason Roysdon a écrit :
>
> On 08/18/2010 02:42 PM, Ulrich David wrote:
>> Hi,
>>
>> I'm using Bind as a cache (absolutely not authoritative) DNS for a public network. I have put a firewall in order to refuse incoming packets from people not on my network.
>>
>> Today, inspecting logs, I see this :
>>
>> Aug 18 17:31:44 cns1 [IPT DROP] : IN=eth0 OUT= MAC=00 SRC=195.176.219.26 DST=MY.CACHE.DNS LEN=69 TOS=00 PREC=0x00 TTL=120 ID=50785 CE PROTO=UDP SPT=56592 DPT=53 LEN=49
>> Aug 18 17:31:48 cns1 [IPT DROP] : IN=eth0 OUT= MAC=00 SRC=195.176.219.26 DST=MY.CACHE.DNS LEN=59 TOS=00 PREC=0x00 TTL=120 ID=23374 PROTO=UDP SPT=57527 DPT=53 LEN=39
>> Aug 18 17:31:51 cns1 [IPT DROP] : IN=eth0 OUT= MAC=00 SRC=207.38.104.93 DST=MY.CACHE.DNS LEN=47 TOS=00 PREC=0x00 TTL=48 ID=48457 CE PROTO=UDP SPT=32779 DPT=53 LEN=27
>> Aug 18 17:31:56 cns1 [IPT DROP] : IN=eth0 OUT= MAC=00 SRC=195.176.219.26 DST=MY.CACHE.DNS LEN=72 TOS=00 PREC=0x00 TTL=120 ID=38433 CE PROTO=UDP SPT=53494 DPT=53 LEN=52
>> Aug 18 17:32:00 cns1 [IPT DROP] : IN=eth0 OUT= MAC=00 SRC=109.164.132.64 DST=MY.CACHE.DNS LEN=60 TOS=00 PREC=0x00 TTL=112 ID=24658 PROTO=UDP SPT=51908 DPT=53 LEN=40
>> Aug 18 17:32:04 cns1 [IPT DROP] : IN=eth0 OUT= MAC=00 SRC=195.176.219.26 DST=MY.CACHE.DNS LEN=69 TOS=00 PREC=0x00 TTL=120 ID=40178 CE PROTO=UDP SPT=48147 DPT=53 LEN=49
>> Aug 18 17:32:08 cns1 [IPT DROP] : IN=eth0 OUT= MAC=00 SRC=213.3.5.3 DST=MY.CACHE.DNS LEN=68 TOS=00 PREC=0x00 TTL=53 ID=15544 PROTO=UDP SPT=18967 DPT=53 LEN=48
>>
>> This traffic came from other DNS server in the world. As it's UDP I think of UDP queries going from my cache server to other DNS server, and I catch their UDP responses in the firewall. Is it possible?
>>
>> So I should open my firewall for UDP on port 53 for all the world?
>>
>> Regards,
>>
>> David
>
>
> David,
>
> First, double-check that you're on a current BIND release. Second,
> check that your named.conf doesn't have "query-source" bound to port 53.
> It's bad to always source your queries from port 53, as it allows your
> cache to get bogus spoofed replies from systems you aren't asking
> queries of.
>
> Provided that you are running a recent version of BIND, and that you are
> configuring your named.conf to query from port 53, your DNS server
> should be sending out UDP queries from random, high-numbered ephemeral
> ports. See the Wikipedia article on this, which discusses Linux port
> defaults vs. IANA recommended port range, etc. (as I'm typing this while
> offline). Your server should be sourcing from those random,
> high-numbered ephemeral ports to remote DNS servers' udp/53. Their
> queries should come back from their same udp/53 source to your same
> original high-numbered ephemeral port.
>
> As you should be sending UDP queries from high-numbered ports, and your
> queries are never going to originate from udp/53, so you should never
> get replies destined for your udp/53.
>
> You should absolutely not open your firewall to queries from UDP/53 as
> it is not authoritative and is not an open dns resolving server for the
> Internet (or if it was, you shouldn't be asking questions on here how to
> secure it).
>
> I would configure your firewall to -j DROP and not first -j LOG these
> packets. No need filling up your syslog with bogus queries.
>
> My guess is that there are some poorly configured remote firewalls.
>
> Jason Roysdon
> http://jason.roysdon.net/
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list