allowing dig through ipchains
George Kallingal
gkallingal at ecs.com
Fri May 18 00:04:02 UTC 2001
This might be a trivial question, but I wanted to know if the dig utility
uses TCP/UDP port 53 when performing queries. I am running bind 8.2.3 on RH
6.2 with ipchains as a firewall.
My configuration is as follows...
# DNS server (53)
# ---------------
# DNS: full server
# ----------------
# server/client to server query or response
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
--source-port $UNPRIVPORTS \
-d $IPADDR 53 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR 53 \
--destination-port $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR 53 \
--destination-port 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
--source-port 53 \
-d $IPADDR 53 -j ACCEPT
# DNS client (53)
# ---------------
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_1 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $NAMESERVER_1 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_1 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $NAMESERVER_1 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_2 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $NAMESERVER_2 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_2 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $NAMESERVER_2 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
When I perform a dig of a remote DNS server, I received a connection
refused.
dig @216.115.239.42 drbenefits.com
; <<>> DiG 8.3 <<>> @216.115.239.42 drbenefits.com
; (1 server found)
;; res options: init recurs defnam dnsrch
;; res_nsend to server 216.115.239.42: Connection refused
Any assistance would be greatly appreciated.
More information about the bind-users
mailing list