DNS/BIND and firewall ports?
Jim Reid
jim at rfc1035.com
Sat Jan 29 00:54:42 UTC 2000
>>>>> "Daniel" == Daniel Yoo <dyoo at sfu.ca> writes:
Daniel> Hello, I'm currently running BIND 8.1.2 on a Linux Router
Daniel> (kernel 2.0.36) that doubles as a firewall.
8.1.2 is old, buggy and has security holes. You need to replace it
with the current version, 8.2.2P5, especially on something that's
acting as a firewall.
Daniel> However, after installing BIND, I can only get DNS lookups
Daniel> to work if UDP ports are open. I'm not sure what range to
Daniel> restrict the UDP ports to, and was wondering if I could
Daniel> get help from someone?
By default, a BIND8 name server uses a random, non-privileged UDP port
for making queries to other name servers. You can use a query-source
clause in the options{} statement to change this behaviour and get the
name server to use some fixed port number and/or IP address. This
would make it easier for your firewall's packet filtering rules. It's
also probably a lot safer than allowing traffic in and out for all
possible non-privileged UDP ports. Don't forget that you'll have to
allow incoming traffic to port 53 of your name server - UDP and TCP -
if the outside world has to query your server to lookup your zone
data.
More information about the bind-users
mailing list