Firwall for DNS Server
Barry Margolin
barry.margolin at level3.com
Fri Sep 5 16:27:36 UTC 2003
In article <bjac4m$2fu3$1 at sf1.isc.org>, <chris at rockfort.com> wrote:
>I would like to setup filtering for my DNS servers. I suspect that they are
>being used illicitly or attacked. Can anyone tell me what ports to leave
>open besides 53, in order for the name servers to function properly. These
>servers are used for public DNS purposes.
You can't use filtering to prevent them from being "used illicitly",
although you can use the "allow-recursion" configuration option to make
them useless as resolvers for anyone other than your users.
In addition to port 53, you need to allow replies to your outbound queries
to return to you. By default BIND uses an unpredictable high-numbered
source port for its queries. If you have a stateful firewall, it should
see the source port of the queries and automatically allow the replies back
in, so you don't need to do anything. If your firewall doesn't work like
this you can use the "query-source" option to specify a particular source
port for outbound queries, and allow this in.
--
Barry Margolin, barry.margolin at level3.com
Level(3), Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.
More information about the bind-users
mailing list