access lists and BIND

Mark.Andrews at nominum.com Mark.Andrews at nominum.com
Tue Jul 11 00:42:08 UTC 2000


	BIND listens for and responds to queries on port 53 UDP/TCP.

	BIND generates queries and listens for there answers on
	random UDP and TCP ports by default.  You can lock down
	the UDP port using query-source.  Using "query-qource *
	port 53;" will give you the same port usage as BIND 4.

	This should be enough information to allow you set up
	appropriate acls in your firewall.

	Mark

> 
> Hello!
> 
> I am cross posting this because I believe it applies to both
> groups.  I have recently been spinning my wheels trying to upgrade
> to bind 8.2.2-P5.  For the life of me, I could not figure out why
> bind was not resolving outside addresses - ie www.microsoft.com, 
> www.ibm.com, etc.   Via NSLOOKUP, the command whould time out with
> an error message that the servers were not available.  I had a 
> brain storm when I realized the problem was not with bind, but with
> the access lists within our router.  We try to maintain a fairly
> tight choke hold on traffic through the router, and although incoming
> TCP requests were allowed via :
> 
> access-list 111 permit tcp any any gt 1023
> 
> The returning DNS queries were coming back UDP on port 1040-1050,
> which was being denied.  Is there a way to control which port the 
> answer comes back on.  
> 
> I put in the follow command which seems to be working :
> 
> ! dns - allow any request from port 53 (domain) to anything here
> access-list 111 permit udp any eq domain any
> 
> I believe this is basically saying permit any UDP request on a remote
> port of 53 (domain) to anything local.
> 
> I realize that this is basically letting anyone running something on
> port 53 through, but is this fairly low risk or is there a better way
> to do this besides calling out each port the request comes back on.
> 
> 
> access-list 111 permit udp any eq domain any eq 1040
> access-list 111 permit udp any eq domain any eq 1041
> access-list 111 permit udp any eq domain any eq 1042
> ....
> access-list 111 permit udp any eq domain any eq 1050
> 
> 
> 
> 
> -- 
>                                                   John
> ______________________________________________________
> Customer Service                 Sofware Workshop Inc.
> jmurtari at thebook.com                "TheBook.Com" (TM)
> 315-635-1968, x-211            http://www.thebook.com/
> 
> 
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at nominum.com



More information about the bind-users mailing list