Internal recursive nameserver access
phn at icke-reklam.ipsec.nu
phn at icke-reklam.ipsec.nu
Tue Aug 26 07:18:16 UTC 2003
Ladislav Vobr <lvobr at ies.etisalat.ae> wrote:
> I have posted just yesterday question about the dig source port and got
> many replies, thanks for all of them. I have a question about the access
> required for a proper functionality of internal recursive nameserver. I
> have a L3 firewall as a default gateway for this nameserver. I would
> like to have firewall setup as strict as possible.
> 1. I have basically allowed on this firewall all internal clients to
> query the internal recursive nameserver from any source port to my
> destination dns server port 53.
> 2. I have allowed the internal recursive nameserver (with source-query
> set to particular IP address 1.2.3.4 and port number abcd) to go out on
> this source port to any destination with port 53
> 3. And for udp I have allowed replies coming from any source with 53
> source port, and destined to my dns server source port abcd.
> Is there any better way, supposing you have l3 firewall only unable to
> keep tracks of DNS queries id, and their relations ?
> What is the best way how to use dig from such a nameserver occasionally?
As stated before, authorizing on source-port is of little value. What
should be done is "packet-state" saved in the firewall.
I have no idea of what a "L3" firewall is and if it's capable of acting
statefully. But statefulness is what you need.
> Ladislav
--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.
More information about the bind-users
mailing list