Bind and Firewall

Simon Waters Simon at wretched.demon.co.uk
Sun Sep 9 14:37:32 UTC 2001


JayL wrote:

>         query-source address 66.92.78.13 port 53;

> ACCEPT     tcp  ------  anywhere             xxx.xxx.xxx.xxx     any
> ->   domain

Why have you obscured the IP address in the second location. 
I assume it is the same as the first?

Looks to me like even if you get this approach to firewalling
working, you'll still allow people to issue arbitary DNS queries
to your firewall from outside, and I don't think that is what
you want (Although it isn't very risky, you don't have to do
it).

Probably the quick fix for the above is not to "listen-on" the
external Interface of the firewall. See the listen-on directive
in the ARM.

Similarly query-source doesn't need to be port 53, a higher port
would add some security through obscurity, and look less like a
DNS server running on a firewall *8-)

As for the IP chains problem, how about switching on some
logging, and seeing what is happening "rndc querylog" and "-l"
on the ipchains rules.


More information about the bind-users mailing list