Problem with query-source

Neil Gunton neil at nilspace.com
Thu Jan 4 02:00:04 UTC 2001


Mark.Andrews at nominum.com wrote:
> 
>         It's blocking remote queries now:-)

Yup, that's actually intentional. It's my security policy, there
shouldn't be anyone out there using me as their DNS - so the default
policy is "deny everything outside my internal network". I then allow
queries only for those domains which I want to be visible, as follows:
(e.g.)

zone "crazyguyonabike.com" {
	type master;
	file "crazyguyonabike.com.hosts";
	allow-query { any; };
};

Sorry I forgot to mention this. I assume that I don't need the
query-source in this section too, do I?

>         Are you sure it is the nameserver and not some other application
>         running on the box.  If you run lsof on named you will see that
>         it is only listening on port 53.  If you don't have query-source
>         set it will be listening on some other port in addition to port
>         53.

I will need to look into your suggestion. I am not sure how to read the
output from lsof, which I have never used before. Thanks for the tip, I
will be back in touch if I am still sure this is bind... for the hell of
it, here's the output. I just piped it through grep named initially...

[root at firewall /root]# lsof | grep named
named    569 root  cwd    DIR       8,21    4096   163548 /var/named
named    569 root  rtd    DIR       8,21    4096        2 /
named    569 root  txt    REG        8,5  716508    49419
/usr/sbin/named
named    569 root  mem    REG       8,21  398294   114544 /lib/ld-2.2.so
named    569 root  mem    REG       8,21 4761074   114553
/lib/libc-2.2.so
named    569 root  mem    REG       8,21  231496   114559
/lib/libnss_files-2.2.so
named    569 root  mem    REG       8,21  286718   114561
/lib/libnss_nisplus-2.2.so
named    569 root  mem    REG       8,21  394210   114557
/lib/libnsl-2.2.so
named    569 root  mem    REG       8,21  261834   114560
/lib/libnss_nis-2.2.so
named    569 root    0u   CHR        1,3           212585 /dev/null
named    569 root    1u   CHR        1,3           212585 /dev/null
named    569 root    2u   CHR        1,3           212585 /dev/null
named    569 root    3u  unix 0xc772e140              557 socket
named    569 root    5u  unix 0xc772e6c0              560 /var/run/ndc
named    569 root   20u  IPv4        564              UDP
firewall:domain 
named    569 root   21u  IPv4        565              TCP
firewall:domain (LISTEN)
named    569 root   22u  IPv4        566              UDP
firewall:domain 
named    569 root   23u  IPv4        567              TCP
firewall:domain (LISTEN)
named    569 root   24u  IPv4        568              UDP
firewall:domain 
named    569 root   25u  IPv4        569              TCP
firewall:domain (LISTEN)
[root at firewall /root]# 

Does this tell you anything?

> > Your point about not allowing out packets which I don't intend to allow
> > answers to is well taken, but that's kind of like telling someone who's
> > just been run over that they shouldn't be lying in the middle of the
> > road - it's kinda dangerous...
> 
>         No. It's being a good netizen. Servers end up being pounded apon
>         because people have firewalls that allow packets out that they
>         don't allow answers back for, this includes ICMP responses.

Point taken. I will revise my firewall rules to only allow outgoing
traffic which I approve of. This makes sense because I do disallow
incoming ICMP packets mostly. If an application (probably netscape) is
trying to do stuff with ICMP then I need to trap that at the source.

Thanks again!

-Neil



More information about the bind-users mailing list