Internal recursive nameserver access

[Jim Reid]

>>>>> "Ladislav" == Ladislav Vobr <lvobr at ies.etisalat.ae> writes:

    Ladislav> This was my target to get some best available setup of
    Ladislav> acls in such a conditions. Jim has suggested to have all
    Ladislav> random ports open just to be able to run dig on the
    Ladislav> nameserver itself to query remote nameservers from time
    Ladislav> to time, which seemed to me not justified enough, since
    Ladislav> the server does not need them, and because of the
    Ladislav> occasional dig I will not expose all udp ports.

I did not suggest that at all. I did say that IF you wanted to use dig
across the firewall, you need to accept that the query will come from
a random port and that implies random ports have to be accessible for
the inbound reply. Peter elaborated on that by talking about stateful
firewalls. ie It lets the query out but keeps track of the details
(port numbers and addresses, maybe the query ID and name) so that only
a reply to that query gets allowed in. I also explained -- and you
don't seem to have understood -- that constraining DNS traffic to use
specific ports "for security" is not a wise or particularly effective
policy. [Your externally resolving name servers shouldn't be running
anything other than named and maybe sshd. That means there won't be
any other ports/services for malicious traffic to attack.] A stateful
firewall makes port filtering for DNS traffic unnecessary anyway.

    Ladislav> Many people replied, but nobody said what to do in the
    Ladislav> condition I have, which I believe are not rare at
    Ladislav> all. Even in the reference Jim has mentioned "Building
    Ladislav> Internet Firewalls, second edition, Chapter 20 - DNS"
    Ladislav> there is nothing about query-source option of bind, or
    Ladislav> fw states of DNS upd traffic, it generally says source
    Ladislav> port random, deal with it.

Indeed. So deal with it.