[External] Re: How can I launch a private Internet DNS server?

sthaug at nethelp.no sthaug at nethelp.no
Thu Oct 15 19:38:30 UTC 2020


> I would run a firewall even for BIND alone on a box in case the box
> gets compromised through BIND. Allowing remote access and DNS, then
> dropping everything else as the general firewall policy should be
> pretty straightforward. But with the IP on this particular BIND box
> being public, it's really like any other server on the internet. Port
> forwarding or NAT in that case would be unnecessary.

Do you mean a simple stateless ACL, or a stateful firewall? If you
really mean a stateful firewall: Think about the effect of DNS
queries - they are usually UDP based, and every new query is going
to create state. Read up on state table exhaustion.

Steinar Haug, Nethelp consulting, sthaug at nethelp.no


More information about the bind-users mailing list