Restricting access to DNS server/gateway

Jim Reid jim at rfc1035.com
Mon Feb 14 23:34:12 UTC 2000 

>>>>> "John" == John Hovell <jhovell at futuris.net> writes:

    John> Hello all -- I am running DNS bind-8.2.2_P3-1 for Linux
    John> 2.2... on a machine that has 2 network interfaces (acts as a
    John> gateway).

The current version of BIND is 8.2.2P5. Get and install it.

    John> I am trying to restrict DNS access to just one network, and
    John> disallow service to the other.  I have tried using IP chains
    John> to drop packets coming from one adapter, but it just seems
    John> to disable the service entirely.
    John> Is there any built-in tcpwrapper-ish sort of security
    John> measure, or does anyone know what particular traffic I
    John> should be looking to block?

There is no "tcpwrapper-ish sort of security measure" for DNS. [FYI
tcp wrappers usually needs to make DNS lookups to decide who to allow
in and who to exclude. This makes it a bit difficult to apply this
sort of solution to the DNS itself.] And how could anyone on this list
possibly know what DNS traffic you want to block or know why you want
to block it? What is it you're trying to achieve? More importantly,
what is it that makes you believe that blocking DNS traffic will help
you reach that goal?

    John> I obviously still want access
    John> for 127.0.0.1, and additionally 1 of the two networks the
    John> computer is attached to (the other network is really the
    John> rest of the Internet -- thats what I want to disallow access
    John> from).

This might not be wise. If you block external access to your name
server, you could well make yourself unreachable from the Internet
because nothing can lookup your domain(s) since they're denied access
to your name server(s).

    John> Right now I am blocking both udp and tcp on port 53,
    John> incoming from the external network interface with a
    John> destination address of the gateway.  But unfortunately this
    John> is disabling the service entirely.

BIND8's listen-on option and access control lists can be used to
restrict access to the name server. However unless you define and
document your rationale for applying them - your security policy in
other words - there probably isn't much point. Even then, these things
are best applied in the context of split DNS: when there's an internal
and external version of the domain, for instance because the internal
net is unreachable from the outside because it's on RFC1918 addresses.

A blanket ban on traffic to/from port 53 is unwise too. It'll stop
your name server from querying other name servers as well as stopping
them from querying your name server.

More information about the bind-users mailing list