Bind as cache DNS and firewall
Robert Spangler
mlists at zoominternet.net
Thu Aug 19 02:28:11 UTC 2010
On Wednesday 18 August 2010 17:42, Ulrich David wrote:
> Hi,
>
> I'm using Bind as a cache (absolutely not authoritative) DNS for a public
> network. I have put a firewall in order to refuse incoming packets from
> people not on my network.
>
> This traffic came from other DNS server in the world. As it's UDP I think
> of UDP queries going from my cache server to other DNS server, and I catch
> their UDP responses in the firewall. Is it possible?
>
> So I should open my firewall for UDP on port 53 for all the world?
It would really depend on how you have your firewall setup. You should have
it setup to do STATEFUL inspection and allow ESTABLISHED,RELATED connection
inbound that way your responses are allowed through. Also ensure that
connection tracking is turned on. A simple firewall could be;
eth0 = Internet
eth1 = LAN
iptables -A FORWARD -i eth1 -m state --state NEW --dport 53 -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
The reason I use just the port is so that both TCP and UDP are captured.
But not knowing your setup it is hard to give you a complete answer.
--
Regards
Robert
Linux
The adventure of a life time.
Linux User #296285
Get Counted
http://counter.li.org/
More information about the bind-users
mailing list