Root server DNS traffic across Linux/ipchains firewall?

Joseph S D Yao jsdy at cospo.osis.gov
Thu Oct 21 22:58:58 UTC 1999


> Joseph S D Yao wrote:
> > I'm afraid that most V8++ BINDs will be addressing you FROM random
> > ports [as many current network programs do] but always TO port 53.  You
> > might be well advised not to block on source ports, but only on
> > destination ports.

[I meant incoming; I think you knew that.]

> My nameserver is only authoritive for non-routable addresses (the 
> nodes on my LAN) and I use the BIND "allow-query {}" option to 
> restrict queries to only the machines on my LAN.  There shouldn't be 
> any legitimate reason for my nameserver to be called from an arbitrary 
> address.
> 
> Given these circumstances, it seems reasonable to assume that I will 
> only be contacted by 15 specific addresses: my ISP's 2 nameservers and 
> the 13 root nameservers.  
> 
> (Note that the addresses of the root nameservers are listed in my 
> hints file, regularly updated by dig, so I know what they are.) 
> 
> Is this a valid assumption?

Mostly.  Root server addresses may change or be added to.

--
Joe Yao				jsdy at cospo.osis.gov - Joseph S. D. Yao
COSPO/OSIS Computer Support					EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.


More information about the bind-users mailing list