Bind 8.22P5, IPChains and recursion: a suggestion

[Mark.Andrews at nominum.com]

	As you are a ISP and are offering DNS to your clients and
	have IP access to the Internet as a whole you are doing
	your clients a disservice if you think you can rely on
	forwarders only (which you are with this firewall setup)
	to provide reliable DNS.

	The following are pretty much standard firewall rules for
	DNS with a stateless firewall.  They can be refined further
	with a stateful firwall.

	TCP established
		any:any <-> local:any
	TCP setup:
		any:any -> local:53
	TCP setup
		any:53	<- local:any
	UDP:	any:any <-> local:53
	UDP	any:53	<-> local:<port set via query-source>

	Mark

> Hi.
> I have set up Bind on Redhat Linux 6.2 for use as a primary
> DNS server on an ISP. It has been configured with two DNSes
> (our mantainer's and our country's RA's) as "forwarders", and,
> obviously, with the 13 Internic root name servers as "."
> I have set up the IPChains firewall over it, allowing
> connections to port 53 from anywhere and connections to port
> 53 of the root name servers and forwarders only. By requesting
> non-authoritative lookups from my DNS, however, I have noted
> that it sometimes tries to connect to port 53 of other name servers
> than these 15. I suppose this is a process of "recursion".
> I had to modify my firewall rules to allow connections to
> port 53 to any host, but this obviously increases insecurity.
> Do you think that disallowing recursion on named.conf would solve
> the problem and allow me to set the former, higher firewall
> protection? If yes, at what cost? More time needed to get the
> answer? Or the risk not to get the answer at all?
> Anyway, do you have any suggestion for this specific problem and
> for my situation in general?
> Thanks a lot for your help in advance.
> 
> Marten
> 
> 
> 
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at nominum.com