Internal recursive nameserver access

Ladislav Vobr lvobr at ies.etisalat.ae
Wed Aug 27 04:26:28 UTC 2003 

Dear Peter,

    thanks for your reply, I guess you are the only one who did not get
fed up, with my topic. I admit, that my perception of firewall is wrong
and I looked at them most of the time as a faster access-control-list,
which is the way it's being deployed in our environment here. Persuading
security people here, it should do more, it can do more, and it is doing
more everywhere else might take some time.

Till this happen, I have to live with what I have, and it is basically
as I said something like faster router access-list, installing software
firewall is not a option for me, and I guess I am not the only one not
using firewall/acls able to keep track of UDPs.

This was my target to get some best available setup of acls in such a
conditions. Jim has suggested to have all random ports open just to be
able to run dig on the nameserver itself to query remote nameservers
from time to time, which seemed to me not justified enough, since the
server does not need them, and because of the occasional dig I will not
expose all udp ports.

Many people replied, but nobody said what to do in the condition I have,
which I believe are not rare at all. Even in the reference Jim has
mentioned "Building Internet Firewalls, second edition, Chapter 20 -
DNS" there is nothing about query-source option of bind, or fw states of
DNS upd traffic, it generally says source port random, deal with it.

Ladislav


phn at icke-reklam.ipsec.nu wrote:

>Ladislav Vobr <lvobr at ies.etisalat.ae> wrote:
>  
>
>>:-) I put it wrong, and I am very sorry for this. I thought layer 4 
>>firewall, which can just filter upd traffic based on the port, and the 
>>source address, without keeping states of application specific 
>>request/reply relation. UDP itself is completely stateless protocol.
>>    
>>
>
>  
>
>>Ladislav
>>    
>>
>
>Ok, let's start with the phrase "layer 4 firewall". It's to me a signal 
>of someone not understanding the function of a firewall.
>
>I'll give two suggestions, one free and one expensive :
>
>
>OpenBSD + pf   Included in "base distribution", stateful and several
>nice extra features ( like traffic shaping and normalizing ( configurable).
>
>Second suggestion : FW-1
>
>
>
>  
>

More information about the bind-users mailing list