DNS and intranet security
Barry Margolin
barmar at bbnplanet.com
Mon Oct 18 20:11:26 UTC 1999
In article <940258254.462421 at manipura.rete039.it>,
Diego <dcima at rete039.it> wrote:
>Scenario:
>One linux box (RH 6.0, Samba 2.0.3, Bind 8)
>two win98 clients
>
>This is my small intranet at home. The linux box acts as file server and
>gateaway to the Internet for two Win98.
>I have set up bind 8 to have my own DNS (just for fun and because I need to
>point to different forwarders i.e. different ISPs).
>
>Since I want my intranet to be safe from outside evil, I would like to know
>any security issue about having named running when I'm on the internet.
>I'm using a private C class network, and I have set up ipchains to block
>access to port 53 (both on TCP and UDP).
>
>Am I doing it right? I know there should be something built in in Bind for
>security, but I'm not sure on how to use it. Any hint or suggestion is
>wellcome!
It sounds like you've done enough. You could also use BIND's "listen-on"
option so that it only accepts queries on the private address and
127.0.0.1. This would serve as added protection on top of the ipchains
setup.
--
Barry Margolin, barmar at bbnplanet.com
GTE Internetworking, Powered by BBN, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.
More information about the bind-users
mailing list