Firwall for DNS Server

Ladislav Vobr lvobr at ies.etisalat.ae
Sat Sep 6 11:57:25 UTC 2003



Barry Margolin wrote:
> In article <bjac4m$2fu3$1 at sf1.isc.org>,  <chris at rockfort.com> wrote:
> 
>>I would like to setup filtering for my DNS servers. I suspect that they are
>>being used illicitly or attacked. Can anyone tell me what ports to leave
>>open besides 53, in order for the name servers to function properly. These
>>servers are used for public DNS purposes.
> 
> 
> You can't use filtering to prevent them from being "used illicitly",
> although you can use the "allow-recursion" configuration option to make
> them useless as resolvers for anyone other than your users.
> 
> In addition to port 53, you need to allow replies to your outbound queries
> to return to you.  By default BIND uses an unpredictable high-numbered
> source port for its queries.  If you have a stateful firewall, it should
> see the source port of the queries and automatically allow the replies back
> in, so you don't need to do anything.  If your firewall doesn't work like
> this you can use the "query-source" option to specify a particular source
> port for outbound queries, and allow this in.
> 

query-source is for udp only, tcp requests source ports are always 
random, the zone transfers source ports or dns notify is also random, 
but the source ip can be configured via transfer-source within the zone 
statement, or it might be in the option statement for some bind 
versions, don't recall exactly

Ladislav



More information about the bind-users mailing list