ACL in a Firewall or DNS only or both

Kevin Darcy kcd at daimlerchrysler.com
Thu Sep 23 17:52:14 UTC 2004


Edgar A. Mendieta wrote:

>Hi;
>
>I read about this and need you give me some opinions of the following:
>
>I have one Firewall and four DNS. I have only one dns that i permit
>transfers to other dns in other network. In my firewall i have one ACL by
>my Secondaries DNS, in this list i permit zone transfer, only for my
>secundaries. And i have UDP DNS for all. I think that this is the same if
>i put in my dns (allow-transfer { }). This cause any problem? if i put ACL
>for my Secundaries in my Firewall.
>
>The something is that i have ACL in my firewall and in my DNS, this ACL is
>by zone transfer. The Firewall ACL affect the correct operation in the DNS
>
Although zone transfers are the main things that use TCP, you should 
open TCP for all DNS communication, everywhere that you open UDP.

As for whether you should enforce DNS controls at the firewall or at the 
nameserver, that's really more of a security-administration question 
than a BIND/DNS one. You have to take into consideration whether you 
want to protect your nameserver against DoS'es, for instance, the 
likelihood of a DNS misconfiguration that might accidentally open your 
nameserver up to the world, the likelihood of an exploit in the BIND 
code (this will vary greatly depending on whether you're running BIND 9 
or something older than that), and a number of other considerations...

                                                                         
                        - Kevin




More information about the bind-users mailing list