Foreign port 53 connections?
Nate Campi
nate at wired.com
Sun Nov 4 08:42:35 UTC 2001
On Sun, Nov 04, 2001 at 03:31:41AM -0000, Pedro Fonseca wrote:
>
> I'm running Bind on a host with a static IP. Bind listens on port 53. The
> problem is, that my firewall is blocking packets coming arriving from
> computers' port 53 to my host on some port bigger than 1023...
>
> Why are other nameservers trying to access my host? If they wanted to
> communicate with my nameserver, shouldn't they do it from their port 53 to
> my 53?
The default for BIND version 8.1 and later (IIRC on which version was
first) is to send outbound queries from a port > 1023. You have to
set 'query-source port 53;' in named.conf so that any and all DNS
traffic from your server comes and goes to port 53 if you want BIND to
work with your firewall setup.
Assuming this is for a network, I'd recommend:
1) Turning off recursion on your nameserver so it *never* sends outbound
queries anyways, then this firewall setup is fine.
2) Setup another nameserver for internal resolution (don't forget to set
the resolver on your public nameserver to use this box for resolution
also), and allow inbound traffic from source port 53 to high ports on
the resolving nameserver. Point all internal boxes at this one for
resolution. Now you need additional rules either on the firewall or
on the host if you run services like NFS, to make sure packets from
the internet coming from source port 53 can't reach services on high
ports on your internal nameserver (like NFS) :(
--
Nate Campi, UNIX Ops WiReD SF, Terra Lycos DNS, (415) 276-8678
Microsoft is not the answer -- Microsoft is the question.
No is the answer.
More information about the bind-users
mailing list