Root server DNS traffic across Linux/ipchains firewall?

Steve Snyder swsnyder at home.com
Thu Oct 21 22:39:53 UTC 1999


Joseph S D Yao wrote:
> 
> I'm afraid that most V8++ BINDs will be addressing you FROM random
> ports [as many current network programs do] but always TO port 53.  You
> might be well advised not to block on source ports, but only on
> destination ports.

Hmm.  Well, let me ask a different but related question.  

My nameserver is only authoritive for non-routable addresses (the 
nodes on my LAN) and I use the BIND "allow-query {}" option to 
restrict queries to only the machines on my LAN.  There shouldn't be 
any legitimate reason for my nameserver to be called from an arbitrary 
address.

Given these circumstances, it seems reasonable to assume that I will 
only be contacted by 15 specific addresses: my ISP's 2 nameservers and 
the 13 root nameservers.  

(Note that the addresses of the root nameservers are listed in my 
hints file, regularly updated by dig, so I know what they are.) 

Is this a valid assumption?

Thank you.

***** Steve Snyder *****


More information about the bind-users mailing list