About "update" packets
Jim Reid
jim at rfc1035.com
Wed Jun 16 13:05:19 UTC 2004
>>>>> "Maurizio" == Maurizio Colella <Maurizio.Colella at marconi.com> writes:
Maurizio> Dear all, I'm having some problem with some clients that
Maurizio> from internet try to "update" my DNS (9.2.3) !
Maurizio> (..Hackers ?) I need to make the update only from my
Maurizio> machine, so i've configured my named.conf to use
Maurizio> "allow-update" and "key stantement". At the moment my
Maurizio> DNS "denied" any update from all clients that are not
Maurizio> compliant (..ip-address and key are not correct !!), in
Maurizio> add, i've also closed all TCP packets from any to my
Maurizio> DNS, becose i've suppose that "update" are performed
Maurizio> only by TCP, but I see that "update" are always present
Maurizio> ! So , my simply question is: Are in UDP packets the
Maurizio> "nsupdate" ??..
Closing off TCP traffic to your name server is unwise. Don't do it.
Some things -- ie zone transfers -- only work over TCP. And it's
perfectly reasonable for a client to make queries over a TCP
connection too, even though most queries are done using UDP. This is
also true for dynamic updates. They tend to be made over UDP but can
be done with a TCP connection: check out the -v option to nsupdate.
BTW, combining IP addresses and TSIG (or SIG(0)) keys in a BIND9 ACL
is awkward. In other words, if you want to restrict access to clients
who have specific IP addresses AND use a TSIG or SIG(0) key, it can be
done. But it's clumsy. Consult the list archives. You might not have
configured your ACL the way you expected it to work.
More information about the bind-users
mailing list