Bind 8.22P5, IPChains and recursion: a suggestion
Mark.Andrews at nominum.com
Mark.Andrews at nominum.com
Thu Sep 21 23:40:30 UTC 2000
As you are a ISP and are offering DNS to your clients and
have IP access to the Internet as a whole you are doing
your clients a disservice if you think you can rely on
forwarders only (which you are with this firewall setup)
to provide reliable DNS.
The following are pretty much standard firewall rules for
DNS with a stateless firewall. They can be refined further
with a stateful firwall.
TCP established
any:any <-> local:any
TCP setup:
any:any -> local:53
TCP setup
any:53 <- local:any
UDP: any:any <-> local:53
UDP any:53 <-> local:<port set via query-source>
Mark
> Hi.
> I have set up Bind on Redhat Linux 6.2 for use as a primary
> DNS server on an ISP. It has been configured with two DNSes
> (our mantainer's and our country's RA's) as "forwarders", and,
> obviously, with the 13 Internic root name servers as "."
> I have set up the IPChains firewall over it, allowing
> connections to port 53 from anywhere and connections to port
> 53 of the root name servers and forwarders only. By requesting
> non-authoritative lookups from my DNS, however, I have noted
> that it sometimes tries to connect to port 53 of other name servers
> than these 15. I suppose this is a process of "recursion".
> I had to modify my firewall rules to allow connections to
> port 53 to any host, but this obviously increases insecurity.
> Do you think that disallowing recursion on named.conf would solve
> the problem and allow me to set the former, higher firewall
> protection? If yes, at what cost? More time needed to get the
> answer? Or the risk not to get the answer at all?
> Anyway, do you have any suggestion for this specific problem and
> for my situation in general?
> Thanks a lot for your help in advance.
>
> Marten
>
>
>
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at nominum.com
More information about the bind-users
mailing list