Bind as cache DNS and firewall

Jason Roysdon bind-users.20100813 at jason.roysdon.net
Thu Aug 19 02:23:21 UTC 2010 

On 08/18/2010 02:42 PM, Ulrich David wrote:
> Hi,
> 
> I'm using Bind as a cache (absolutely not authoritative) DNS for a public network. I have put a firewall in order to refuse incoming packets from people not on my network.
> 
> Today, inspecting logs, I see this :
> 
> Aug 18 17:31:44 cns1 [IPT DROP] :  IN=eth0 OUT= MAC=00  SRC=195.176.219.26 DST=MY.CACHE.DNS LEN=69 TOS=00 PREC=0x00 TTL=120 ID=50785 CE PROTO=UDP SPT=56592 DPT=53 LEN=49 
> Aug 18 17:31:48 cns1 [IPT DROP] :  IN=eth0 OUT= MAC=00  SRC=195.176.219.26 DST=MY.CACHE.DNS LEN=59 TOS=00 PREC=0x00 TTL=120 ID=23374 PROTO=UDP SPT=57527 DPT=53 LEN=39 
> Aug 18 17:31:51 cns1 [IPT DROP] :  IN=eth0 OUT= MAC=00  SRC=207.38.104.93 DST=MY.CACHE.DNS LEN=47 TOS=00 PREC=0x00 TTL=48 ID=48457 CE PROTO=UDP SPT=32779 DPT=53 LEN=27 
> Aug 18 17:31:56 cns1 [IPT DROP] :  IN=eth0 OUT= MAC=00  SRC=195.176.219.26 DST=MY.CACHE.DNS LEN=72 TOS=00 PREC=0x00 TTL=120 ID=38433 CE PROTO=UDP SPT=53494 DPT=53 LEN=52 
> Aug 18 17:32:00 cns1 [IPT DROP] :  IN=eth0 OUT= MAC=00  SRC=109.164.132.64 DST=MY.CACHE.DNS LEN=60 TOS=00 PREC=0x00 TTL=112 ID=24658 PROTO=UDP SPT=51908 DPT=53 LEN=40 
> Aug 18 17:32:04 cns1 [IPT DROP] :  IN=eth0 OUT= MAC=00  SRC=195.176.219.26 DST=MY.CACHE.DNS LEN=69 TOS=00 PREC=0x00 TTL=120 ID=40178 CE PROTO=UDP SPT=48147 DPT=53 LEN=49 
> Aug 18 17:32:08 cns1 [IPT DROP] :  IN=eth0 OUT= MAC=00  SRC=213.3.5.3 DST=MY.CACHE.DNS LEN=68 TOS=00 PREC=0x00 TTL=53 ID=15544 PROTO=UDP SPT=18967 DPT=53 LEN=48 
> 
> This traffic came from other DNS server in the world. As it's UDP I think of UDP queries going from my cache server to other DNS server, and I catch their UDP responses in the firewall. Is it possible?
> 
> So I should open my firewall for UDP on port 53 for all the world?
> 
> Regards,
> 
> David


David,

First, double-check that you're on a current BIND release.  Second,
check that your named.conf doesn't have "query-source" bound to port 53.
 It's bad to always source your queries from port 53, as it allows your
cache to get bogus spoofed replies from systems you aren't asking
queries of.

Provided that you are running a recent version of BIND, and that you are
configuring your named.conf to query from port 53, your DNS server
should be sending out UDP queries from random, high-numbered ephemeral
ports.  See the Wikipedia article on this, which discusses Linux port
defaults vs. IANA recommended port range, etc. (as I'm typing this while
offline).  Your server should be sourcing from those random,
high-numbered ephemeral ports to remote DNS servers' udp/53.  Their
queries should come back from their same udp/53 source to your same
original high-numbered ephemeral port.

As you should be sending UDP queries from high-numbered ports, and your
queries are never going to originate from udp/53, so you should never
get replies destined for your udp/53.

You should absolutely not open your firewall to queries from UDP/53 as
it is not authoritative and is not an open dns resolving server for the
Internet (or if it was, you shouldn't be asking questions on here how to
secure it).

I would configure your firewall to -j DROP and not first -j LOG these
packets.  No need filling up your syslog with bogus queries.

My guess is that there are some poorly configured remote firewalls.

Jason Roysdon
http://jason.roysdon.net/

More information about the bind-users mailing list