Best ipfw Rules for DNS-SEC
Chuck Swiger
cswiger at mac.com
Tue Mar 15 19:20:34 UTC 2011
On Mar 15, 2011, at 11:08 AM, Martin McCormick wrote:
> Is there a recommended set of firewall rules that insure that all
> necessary DNS traffic can enter and leave, even the larger
> packets that result from dns-sec?
# allow UDP DNS queries out to the world, and in to your nameservers
## It's faster to do this stateless, and reduces DoS risk against the firewall,
## but you are exposing your network to UDP port scans from source port 53
## (if you have other open UDP ports). If you want to be stateful, switch to:
## add pass udp from any to $NAMESERVER_IP 53 keep-state
## add pass udp from $YOURNET to any 53 keep-state
add pass udp from any to $NAMESERVER_IP 53
add pass udp from $NAMESERVER_IP 53 to any
add pass udp from $YOURNET 53,1024-65535 to any 53
add pass udp from any 53 to $YOURNET 53,1024-65535
# allow TCP DNS outbound and inbound only to nameserver boxes
## Likewise, you can add keep-state if you want to be stateful;
## in which case the established line can be removed.
add pass tcp from any to any established
add pass tcp from $YOURNET to any 53 setup
add pass tcp from any to $NAMESERVER_IP 53 setup
------
For something like a Cisco PIX/ASA, you probably want "no fixup protocol dns" to avoid breaking EDNS, but "fixup protocol dns maximum-length 4096" might be a workable alternative.
Regards,
--
-Chuck
More information about the bind-users
mailing list