bind - firewalling

Simon Waters Simon at wretched.demon.co.uk
Tue Jul 24 15:57:58 UTC 2001


Wilhelm Grundner wrote:
> 
> nameserver:
> 
>         linux redhat 6.2
>         kernel-2.2.16-3
>         bind-8.2.3-0.6.x
> 
> firewall:
> 
>         linux redhat 6.2
>         kernel-2.2.16-5
>         ipchains-1.3.9-5

Additional to Brad's comments 2.2.19 is the latest 2.2 Linux
kernel with all the latest security fixes. IPChains isn't
upto date either.

> here's my problem - which does not occur
> regulary - only sometimes:
> 
> dns with the locally managed zones works fine.
> 
> but as soon as i query another nameserver outside
> our company - 'course i have to go thru a firewall
> for this - the ip-address of my nameserver gets
> translated to the inside-interface of the firewall
> instead of the outside-interface of the firewall
> and so there's no way back for the ip-packet (the
> firewall-config has been checked and can be considered ok).

ipchains implements ip masquerading, so there should be a
temporary way back.

However this temporary way back assumes;

	1) The remote server responds quickly enough.

	2) The remote server responds with the same source IP
address.
	    I'm assured modern BIND implementations do this, but
old, and different
	    name servers may still reply from a different address
if they have multiple
	    interfaces.

If either of these conditions is breached your firewall
should log a lost packet, and the DNS lookup will fail. In
my experience this is a tolerably small loss rate and easily
ignored!

Of course it is possible one of your business partners has
massively overworked DNS servers, with lots of interfaces,
and a very old version of BIND - but I doubt it *8-)
 
> the reason why i suspect that the bind-sw could
> have something to do with it is, that the firewall-sw
> 'ipchains' did have troubles with the sender-port 53.

Sounds like a firewall configuration issue, I've used
ipchains like this many times without issue.
 
> when we changed the source-port >1023 it worked out fine
> but only until yesterday. and since then we have a major
> problem - as you can imagine.

Sorry I don't understand what you changed yesterday? 

If you added or removed a "source port" line to the
named.conf you may have to reconfigure the firewall.


More information about the bind-users mailing list