bind and firewall opinion is needed
Kevin Darcy
kcd at daimlerchrysler.com
Tue Apr 24 21:44:11 UTC 2001
Sergey Nikolaev wrote:
> Hi,
>
> In the case when the master is behind firewall (hidden from the internet) and
> the secondary is in front of firewall (exposed to the internet), to facilitate
> zone transfers
> FW rules are required that allow bidirectional udp port 53 and unidirectional
> tcp port 53
> from secondary to primary.
I assume when you say "unidirectional" you mean that connections can only be
*initiated* in one direction, right? The packets still need to flow in
*both* directions in order for a TCP connection to be established and pass data.
> While this configuration has some security advantages, it has drawbacks too.
> If the secondary is compromised, there is the open incoming hole to the primary,
> tcp and udp port 53 .
>
> Is there a workaround? Other ways to transfer zones? Maybe, outgoing master to
> secondary transfer is possible?
There is no IETF standard for a "push"-based method of DNS zone transfer.
If you're really that paranoid, consider another method of master/slave
replication. Dan Bernstein recommends rsync-over-ssh, although I've never tried
that myself. When using an alternative replication method, you would define all of
the servers as "master" in named.conf and issue a reload after each transfer so
that each "slave" will pick up the changes.
And, if you are that paranoid, you are already a) running unprivileged, b) running
chroot()'ed, and c) keeping your BIND software faithfully up-to-date,
right?
- Kevin
More information about the bind-users
mailing list