DNS behind firewall
Kevin Darcy
kcd at chrysler.com
Sun May 20 15:53:05 UTC 2012
On 5/20/2012 10:07 AM, Saif Ahmed wrote:
> Hi,
> I have configured authuritive only DNS,
> It's respond well internally
> But not answer the public quires,
>
> options {
> directory "/etc/named";
> // version statement - inhibited for security
> // (avoids hacking any known weaknesses)
> version "not currently available";
> // allows notifies only from master
> allow-notify {172.20.10.10; };
> // disables all zone transfer requests
> allow-transfer{"none"; };
> allow-query { any; };
> query-source address * port 53;
> recursion no;
> pid-file "/var/run/named/named.pid";
>
> below the tcpdump "udp port 53" result
>
> 17:05:03.913856 IP (tos 0x0, ttl 106, id 6612, offset 0, flags [none], proto
> UDP (17), length 52)
> peach.dnsstuff.com.pmsm-webrctl> 192.168.30.100.domain: [udp sum ok] 1+
> A? com.iq. (24)
> 17:05:03.914396 IP (tos 0x0, ttl 64, id 28758, offset 0, flags [DF], proto
> UDP (17), length 73)
>
> Waiting for your advise;
OK, so you got an incoming query for com.iq/a from peach.dnsstuff.com.
Was the outgoing response packet also in your capture? What did it look
like? It should have been a NODATA response (NOERROR, 0 answers, an SOA
record in the Authority Section for negative caching), or possibly just
a root-zone referral, depending what authoritative zones are configured
in the instance.
If you don't see an outgoing response packet, check for any "blackhole"s
defined in your config. If that's not the cause, then check the network
configuration of your box. Maybe the response is going out the wrong
interface.
By the way, you should not port-limit your query source address. That
makes it easier for malicious people to forge DNS responses back to you.
- Kevin
More information about the bind-users
mailing list