DNS behind firewall

Saif Ahmed smohammed at cmc.iq
Sun May 20 18:41:29 UTC 2012 

Hi Kevin,

Thanks for your reply,
It's worked now after flushing the iptables using iptables -f

Regards

Saif
-----Original Message-----
From: bind-users-bounces+smohammed=cmc.iq at lists.isc.org
[mailto:bind-users-bounces+smohammed=cmc.iq at lists.isc.org] On Behalf Of
Kevin Darcy
Sent: Sunday, May 20, 2012 7:53 PM
To: bind-users at lists.isc.org
Subject: Re: DNS behind firewall

On 5/20/2012 10:07 AM, Saif Ahmed wrote:
> Hi,
> I have configured authuritive only DNS, It's respond well internally 
> But not answer the public quires,
>
> options {
>    directory "/etc/named";
>    // version statement - inhibited for security
>    // (avoids hacking any known weaknesses)
>    version "not currently available";
>    // allows notifies only from master
>    allow-notify {172.20.10.10; };
>    // disables all zone transfer requests
>    allow-transfer{"none"; };
>    allow-query { any; };
>    query-source address * port 53;
>    recursion no;
>    pid-file "/var/run/named/named.pid";
>
> below the tcpdump "udp port 53" result
>
> 17:05:03.913856 IP (tos 0x0, ttl 106, id 6612, offset 0, flags [none], 
> proto UDP (17), length 52)
>      peach.dnsstuff.com.pmsm-webrctl>  192.168.30.100.domain: [udp sum 
> ok] 1+ A? com.iq. (24)
> 17:05:03.914396 IP (tos 0x0, ttl 64, id 28758, offset 0, flags [DF], 
> proto UDP (17), length 73)
>
> Waiting for your advise;
OK, so you got an incoming query for com.iq/a from peach.dnsstuff.com. 
Was the outgoing response packet also in your capture? What did it look
like? It should have been a NODATA response (NOERROR, 0 answers, an SOA
record in the Authority Section for negative caching), or possibly just a
root-zone referral, depending what authoritative zones are configured in the
instance.

If you don't see an outgoing response packet, check for any "blackhole"s
defined in your config. If that's not the cause, then check the network
configuration of your box. Maybe the response is going out the wrong
interface.

By the way, you should not port-limit your query source address. That makes
it easier for malicious people to forge DNS responses back to you.

                                                                         
                                             - Kevin
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list