Bind and Firewall
Simon Waters
Simon at wretched.demon.co.uk
Sun Sep 9 14:37:32 UTC 2001
JayL wrote:
> query-source address 66.92.78.13 port 53;
> ACCEPT tcp ------ anywhere xxx.xxx.xxx.xxx any
> -> domain
Why have you obscured the IP address in the second location.
I assume it is the same as the first?
Looks to me like even if you get this approach to firewalling
working, you'll still allow people to issue arbitary DNS queries
to your firewall from outside, and I don't think that is what
you want (Although it isn't very risky, you don't have to do
it).
Probably the quick fix for the above is not to "listen-on" the
external Interface of the firewall. See the listen-on directive
in the ARM.
Similarly query-source doesn't need to be port 53, a higher port
would add some security through obscurity, and look less like a
DNS server running on a firewall *8-)
As for the IP chains problem, how about switching on some
logging, and seeing what is happening "rndc querylog" and "-l"
on the ipchains rules.
More information about the bind-users
mailing list