Root server DNS traffic across Linux/ipchains firewall?
Joseph S D Yao
jsdy at cospo.osis.gov
Thu Oct 21 22:58:58 UTC 1999
> Joseph S D Yao wrote:
> > I'm afraid that most V8++ BINDs will be addressing you FROM random
> > ports [as many current network programs do] but always TO port 53. You
> > might be well advised not to block on source ports, but only on
> > destination ports.
[I meant incoming; I think you knew that.]
> My nameserver is only authoritive for non-routable addresses (the
> nodes on my LAN) and I use the BIND "allow-query {}" option to
> restrict queries to only the machines on my LAN. There shouldn't be
> any legitimate reason for my nameserver to be called from an arbitrary
> address.
>
> Given these circumstances, it seems reasonable to assume that I will
> only be contacted by 15 specific addresses: my ISP's 2 nameservers and
> the 13 root nameservers.
>
> (Note that the addresses of the root nameservers are listed in my
> hints file, regularly updated by dig, so I know what they are.)
>
> Is this a valid assumption?
Mostly. Root server addresses may change or be added to.
--
Joe Yao jsdy at cospo.osis.gov - Joseph S. D. Yao
COSPO/OSIS Computer Support EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.
More information about the bind-users
mailing list