Internal recursive nameserver access
Ladislav Vobr
lvobr at ies.etisalat.ae
Tue Aug 26 08:42:38 UTC 2003
:-) I put it wrong, and I am very sorry for this. I thought layer 4
firewall, which can just filter upd traffic based on the port, and the
source address, without keeping states of application specific
request/reply relation. UDP itself is completely stateless protocol.
Ladislav
phn at icke-reklam.ipsec.nu wrote:
>Ladislav Vobr <lvobr at ies.etisalat.ae> wrote:
>
>
>>I have posted just yesterday question about the dig source port and got
>>many replies, thanks for all of them. I have a question about the access
>>required for a proper functionality of internal recursive nameserver. I
>>have a L3 firewall as a default gateway for this nameserver. I would
>>like to have firewall setup as strict as possible.
>>
>>
>
>
>
>>1. I have basically allowed on this firewall all internal clients to
>>query the internal recursive nameserver from any source port to my
>>destination dns server port 53.
>>2. I have allowed the internal recursive nameserver (with source-query
>>set to particular IP address 1.2.3.4 and port number abcd) to go out on
>>this source port to any destination with port 53
>>3. And for udp I have allowed replies coming from any source with 53
>>source port, and destined to my dns server source port abcd.
>>
>>
>
>
>
>>Is there any better way, supposing you have l3 firewall only unable to
>>keep tracks of DNS queries id, and their relations ?
>>
>>
>
>
>
>>What is the best way how to use dig from such a nameserver occasionally?
>>
>>
>
>As stated before, authorizing on source-port is of little value. What
>should be done is "packet-state" saved in the firewall.
>I have no idea of what a "L3" firewall is and if it's capable of acting
>statefully. But statefulness is what you need.
>
>
>
>
>>Ladislav
>>
>>
>
>
>
>
>
>
>
>
>
More information about the bind-users
mailing list