Setting up BIND 9.2.3 as a caching name server on a mail server question

[Barry Margolin]

In article <chbo2u$2jhh$1 at sf1.isc.org>,
 Jason Williams <jwilliams at courtesymortgage.com> wrote:

> Hello everybody. As the subject states, I would like to setup a caching 
> nameserver on my mail server to speed up spam checks as well as alleviate 
> usage of my ISP's DNS server.
> 
> Currently, I have a mail gateway server running FreeBSD 4.9, with 
> SpamAssassin, Clamav and Sendmail. Everything has been working great and 
> now im looking to add a caching nameserver.
> 
> I have made a package for the server and plan to install it here in the 
> next couple of days, but I wanted to ask a couple of quick questions.
> First, I would like to enable some logging of some sort, so I can see what 
> all is going on with BIND, the querys etc.

Turn on query logging in the named.conf.

> Second, I have setup my firewall to port forward traffic to the mail server 
> that BIND will be running on. Only port 25 traffic is allowed to the server 
> from the outside world. But, I would still like to make my setup as secure 
> as I can. Any suggestions or tips on other things I can do during the 
> setup? Maybe something like only allow the localhost to contact named? Not 
> sure if that is possible though.

The only thing you need to allow from the outside world for caching DNS 
is the replies to your queries.  If you allow TCP and UDP port 53, and 
you have a stateful firewall, it should automatically allow just the 
replies back in.

-- 
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***