Bind as cache DNS and firewall

Ulrich David david.ulrich at siesa.ch
Thu Aug 19 06:21:18 UTC 2010


Hi Jason and Robert,

Sorry for my lack of details.

My firewall has stateful inspection enabled for all port :
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
I permit all outgoing packet. The opened incoming ports are 22 tcp (for all IP), 53 tcp and udp (filtered for my clients IP - they have public IPs... so... -).
I enable LOG for iptables but protect it against DoS. Doing this permit me to do some "inspection" :) .

I have a BIND 9.4.3-P5 (running on a linux). It's last stable release on my distribution. query-source is not enabled. My configuration is very simple :
options {
	directory "/var/bind";
	listen-on-v6 { none; };
       listen-on { any; };

	allow-query {
		local;
		my-clients;
		my-servers;
		my-private-network;
	};

	statistics-file "/var/bind/stats/named.stats";
	version	"None of your business";
	blackhole { blacklist; };
	max-cache-size 		0;
	recursive-clients       10000;
	pid-file "/var/run/named/named.pid";
};
I have some zone (in-addr.arpa, . , localhost). I have logging and controls block too.
I can go up to 4000 queries/seconds (a lot of mailservers on my network).

named is running well. But I have some problems with some perharps "bogus" authoritative dns (ns51.domaincontrol.com andns52.domaincontrol.com for example)... so I decided to see if it's not my configuration which has a problem.

Regards,

David




Le 19 août 2010 à 04:23, Jason Roysdon a écrit :

> 
> On 08/18/2010 02:42 PM, Ulrich David wrote:
>> Hi,
>> 
>> I'm using Bind as a cache (absolutely not authoritative) DNS for a public network. I have put a firewall in order to refuse incoming packets from people not on my network.
>> 
>> Today, inspecting logs, I see this :
>> 
>> Aug 18 17:31:44 cns1 [IPT DROP] :  IN=eth0 OUT= MAC=00  SRC=195.176.219.26 DST=MY.CACHE.DNS LEN=69 TOS=00 PREC=0x00 TTL=120 ID=50785 CE PROTO=UDP SPT=56592 DPT=53 LEN=49 
>> Aug 18 17:31:48 cns1 [IPT DROP] :  IN=eth0 OUT= MAC=00  SRC=195.176.219.26 DST=MY.CACHE.DNS LEN=59 TOS=00 PREC=0x00 TTL=120 ID=23374 PROTO=UDP SPT=57527 DPT=53 LEN=39 
>> Aug 18 17:31:51 cns1 [IPT DROP] :  IN=eth0 OUT= MAC=00  SRC=207.38.104.93 DST=MY.CACHE.DNS LEN=47 TOS=00 PREC=0x00 TTL=48 ID=48457 CE PROTO=UDP SPT=32779 DPT=53 LEN=27 
>> Aug 18 17:31:56 cns1 [IPT DROP] :  IN=eth0 OUT= MAC=00  SRC=195.176.219.26 DST=MY.CACHE.DNS LEN=72 TOS=00 PREC=0x00 TTL=120 ID=38433 CE PROTO=UDP SPT=53494 DPT=53 LEN=52 
>> Aug 18 17:32:00 cns1 [IPT DROP] :  IN=eth0 OUT= MAC=00  SRC=109.164.132.64 DST=MY.CACHE.DNS LEN=60 TOS=00 PREC=0x00 TTL=112 ID=24658 PROTO=UDP SPT=51908 DPT=53 LEN=40 
>> Aug 18 17:32:04 cns1 [IPT DROP] :  IN=eth0 OUT= MAC=00  SRC=195.176.219.26 DST=MY.CACHE.DNS LEN=69 TOS=00 PREC=0x00 TTL=120 ID=40178 CE PROTO=UDP SPT=48147 DPT=53 LEN=49 
>> Aug 18 17:32:08 cns1 [IPT DROP] :  IN=eth0 OUT= MAC=00  SRC=213.3.5.3 DST=MY.CACHE.DNS LEN=68 TOS=00 PREC=0x00 TTL=53 ID=15544 PROTO=UDP SPT=18967 DPT=53 LEN=48 
>> 
>> This traffic came from other DNS server in the world. As it's UDP I think of UDP queries going from my cache server to other DNS server, and I catch their UDP responses in the firewall. Is it possible?
>> 
>> So I should open my firewall for UDP on port 53 for all the world?
>> 
>> Regards,
>> 
>> David
> 
> 
> David,
> 
> First, double-check that you're on a current BIND release.  Second,
> check that your named.conf doesn't have "query-source" bound to port 53.
> It's bad to always source your queries from port 53, as it allows your
> cache to get bogus spoofed replies from systems you aren't asking
> queries of.
> 
> Provided that you are running a recent version of BIND, and that you are
> configuring your named.conf to query from port 53, your DNS server
> should be sending out UDP queries from random, high-numbered ephemeral
> ports.  See the Wikipedia article on this, which discusses Linux port
> defaults vs. IANA recommended port range, etc. (as I'm typing this while
> offline).  Your server should be sourcing from those random,
> high-numbered ephemeral ports to remote DNS servers' udp/53.  Their
> queries should come back from their same udp/53 source to your same
> original high-numbered ephemeral port.
> 
> As you should be sending UDP queries from high-numbered ports, and your
> queries are never going to originate from udp/53, so you should never
> get replies destined for your udp/53.
> 
> You should absolutely not open your firewall to queries from UDP/53 as
> it is not authoritative and is not an open dns resolving server for the
> Internet (or if it was, you shouldn't be asking questions on here how to
> secure it).
> 
> I would configure your firewall to -j DROP and not first -j LOG these
> packets.  No need filling up your syslog with bogus queries.
> 
> My guess is that there are some poorly configured remote firewalls.
> 
> Jason Roysdon
> http://jason.roysdon.net/
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users




More information about the bind-users mailing list