Strict Linux/ipchains firewall and BIND

Steve Snyder swsnyder at home.com
Thu Oct 21 15:06:34 UTC 1999


I am setting up what I hope is a strict firewall on my LAN's
Linux-based server.  That is, I intend to be *very* specific in what
traffic is allowed from whom on which network ports.

The server for my small LAN runs a nameserver (BIND v8.2.1).  Client
machines on the LAN query my nameserver, which (if the IP address
isn't already cached and the name is not a local machine) in turn
queries one or both of my ISP's two nameservers.

Can I cover all the bases by only allowing port 53 access from my 2
ISP nameservers and from the root nameservers?  Basically I want to
keep the occurrences of input-from-any-address rules to a bare
minimum.  With that in mind, please take a look at the configuration 
below below and advise me if I am restricting DNS traffic somehow.

Note that the IP addresses listed on the forwarders{} statement below
are also found in /etc/resolv.conf and are thus included in the
ipchains ruleset.

This is a fragment of my /etc/named.conf:

options {
        directory "/var/named/snydernet";
        transfer-format many-answers;
        query-source address * port 53;
        allow-query { 127.0.0.1; 192.168.0/24;};
        listen-on { 127.0.0.1; 192.168.0.12; };
        forward first;
        forwarders { 111.222.333.444; 555.666.777.888; };
};

and these are the rules I expect to use to allow DNS traffic:

  # ISP nameservers
  for NS in `cat /etc/resolv.conf | grep "nameserver 24." | cut -d ' ' -f 2` ; do
    ipchains -A input  -i $EXTRN_IFACE -p udp \
             -s $NS 53 -d $IPADDR 53 -j ACCEPT

    ipchains -A output -i $EXTRN_IFACE -p udp \
             -s $IPADDR 53 -d $NS 53 -j ACCEPT

    ipchains -A input  -i $EXTRN_IFACE -p tcp ! -y \
             -s $NS 53 -d $IPADDR 53 -j ACCEPT

    ipchains -A output -i $EXTRN_IFACE -p tcp \
             -s $IPADDR 53 -d $NS 53 -j ACCEPT
  done

  # root nameservers
  for NS in `cat /var/named/snydernet/db.cache | grep "IN A" | cut -f 3` ; do
    ipchains -A input  -i $EXTRN_IFACE -p udp \
             -s $NS 53 -d $IPADDR $UNPRIVPORTS  -j ACCEPT

    ipchains -A output -i $EXTRN_IFACE -p udp \
             -s $IPADDR $UNPRIVPORTS -d $NS 53 -j ACCEPT
  done

Any thoughts on this tentative configuration?  Am I restricting DNS 
traffic somehow?  Is there a way to restrict packet traffic further 
without compromising name resolution?

Thank you.


*** Steve Snyder ***



More information about the bind-users mailing list