Bind 8.22P5, IPChains and recursion: a suggestion

[Joseph S D Yao]

On Thu, Sep 21, 2000 at 07:35:02PM +0000, Marten wrote:
> Hi.
> I have set up Bind on Redhat Linux 6.2 for use as a primary
> DNS server on an ISP. It has been configured with two DNSes
> (our mantainer's and our country's RA's) as "forwarders", and,
> obviously, with the 13 Internic root name servers as "."
> I have set up the IPChains firewall over it, allowing
> connections to port 53 from anywhere and connections to port
> 53 of the root name servers and forwarders only. By requesting
> non-authoritative lookups from my DNS, however, I have noted
> that it sometimes tries to connect to port 53 of other name servers
> than these 15. I suppose this is a process of "recursion".
> I had to modify my firewall rules to allow connections to
> port 53 to any host, but this obviously increases insecurity.
> Do you think that disallowing recursion on named.conf would solve
> the problem and allow me to set the former, higher firewall
> protection? If yes, at what cost? More time needed to get the
> answer? Or the risk not to get the answer at all?
> Anyway, do you have any suggestion for this specific problem and
> for my situation in general?

I would not have my main name servcer on my firewall.  Have your
internal name server on another machine, and have it forward all
unresolved queries to the firewall machine.  Let your firewall accept
all DNS queries from the internal name server, and allow it to query
anybody that it wants on the Internet.  This is how the distributed
database known as DNS works.

-- 
Joe Yao				jsdy at cospo.osis.gov - Joseph S. D. Yao
COSPO/OSIS Computer Support					EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.