Best ipfw Rules for DNS-SEC
Mark Andrews
marka at isc.org
Tue Mar 15 23:36:08 UTC 2011
In message <1200B563-8A00-4C0A-822D-85733143F8FA at mac.com>, Chuck Swiger writes
:
> On Mar 15, 2011, at 11:08 AM, Martin McCormick wrote:
> > Is there a recommended set of firewall rules that insure that all
> > necessary DNS traffic can enter and leave, even the larger
> > packets that result from dns-sec?
>
>
> # allow UDP DNS queries out to the world, and in to your nameservers
> ## It's faster to do this stateless, and reduces DoS risk against the firewa
> ll,
> ## but you are exposing your network to UDP port scans from source port 53
> ## (if you have other open UDP ports). If you want to be stateful, switch t
> o:
> ## add pass udp from any to $NAMESERVER_IP 53 keep-state
> ## add pass udp from $YOURNET to any 53 keep-state
>
> add pass udp from any to $NAMESERVER_IP 53
> add pass udp from $NAMESERVER_IP 53 to any
> add pass udp from $YOURNET 53,1024-65535 to any 53
> add pass udp from any 53 to $YOURNET 53,1024-65535
>
> # allow TCP DNS outbound and inbound only to nameserver boxes
> ## Likewise, you can add keep-state if you want to be stateful;
> ## in which case the established line can be removed.
> add pass tcp from any to any established
> add pass tcp from $YOURNET to any 53 setup
> add pass tcp from any to $NAMESERVER_IP 53 setup
>
> ------
>
> For something like a Cisco PIX/ASA, you probably want "no fixup protocol dns
> " to avoid breaking EDNS, but "fixup protocol dns maximum-length 4096" might
> be a workable alternative.
You also want to pass UDP fragments.
e.g.
ipfw:
add pass udp from any to any frag
ipf:
pass in quick proto udp from any to any with frag keep frag
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list