Problem with query-source
Neil Gunton
neil at nilspace.com
Thu Jan 4 02:00:04 UTC 2001
Mark.Andrews at nominum.com wrote:
>
> It's blocking remote queries now:-)
Yup, that's actually intentional. It's my security policy, there
shouldn't be anyone out there using me as their DNS - so the default
policy is "deny everything outside my internal network". I then allow
queries only for those domains which I want to be visible, as follows:
(e.g.)
zone "crazyguyonabike.com" {
type master;
file "crazyguyonabike.com.hosts";
allow-query { any; };
};
Sorry I forgot to mention this. I assume that I don't need the
query-source in this section too, do I?
> Are you sure it is the nameserver and not some other application
> running on the box. If you run lsof on named you will see that
> it is only listening on port 53. If you don't have query-source
> set it will be listening on some other port in addition to port
> 53.
I will need to look into your suggestion. I am not sure how to read the
output from lsof, which I have never used before. Thanks for the tip, I
will be back in touch if I am still sure this is bind... for the hell of
it, here's the output. I just piped it through grep named initially...
[root at firewall /root]# lsof | grep named
named 569 root cwd DIR 8,21 4096 163548 /var/named
named 569 root rtd DIR 8,21 4096 2 /
named 569 root txt REG 8,5 716508 49419
/usr/sbin/named
named 569 root mem REG 8,21 398294 114544 /lib/ld-2.2.so
named 569 root mem REG 8,21 4761074 114553
/lib/libc-2.2.so
named 569 root mem REG 8,21 231496 114559
/lib/libnss_files-2.2.so
named 569 root mem REG 8,21 286718 114561
/lib/libnss_nisplus-2.2.so
named 569 root mem REG 8,21 394210 114557
/lib/libnsl-2.2.so
named 569 root mem REG 8,21 261834 114560
/lib/libnss_nis-2.2.so
named 569 root 0u CHR 1,3 212585 /dev/null
named 569 root 1u CHR 1,3 212585 /dev/null
named 569 root 2u CHR 1,3 212585 /dev/null
named 569 root 3u unix 0xc772e140 557 socket
named 569 root 5u unix 0xc772e6c0 560 /var/run/ndc
named 569 root 20u IPv4 564 UDP
firewall:domain
named 569 root 21u IPv4 565 TCP
firewall:domain (LISTEN)
named 569 root 22u IPv4 566 UDP
firewall:domain
named 569 root 23u IPv4 567 TCP
firewall:domain (LISTEN)
named 569 root 24u IPv4 568 UDP
firewall:domain
named 569 root 25u IPv4 569 TCP
firewall:domain (LISTEN)
[root at firewall /root]#
Does this tell you anything?
> > Your point about not allowing out packets which I don't intend to allow
> > answers to is well taken, but that's kind of like telling someone who's
> > just been run over that they shouldn't be lying in the middle of the
> > road - it's kinda dangerous...
>
> No. It's being a good netizen. Servers end up being pounded apon
> because people have firewalls that allow packets out that they
> don't allow answers back for, this includes ICMP responses.
Point taken. I will revise my firewall rules to only allow outgoing
traffic which I approve of. This makes sense because I do disallow
incoming ICMP packets mostly. If an application (probably netscape) is
trying to do stuff with ICMP then I need to trap that at the source.
Thanks again!
-Neil
More information about the bind-users
mailing list