[External] Re: How can I launch a private Internet DNS server?

Chuck Aurora ca at nodns4.us
Fri Oct 16 01:42:28 UTC 2020

On 2020-10-15 14:38, sthaug at nethelp.no wrote:
>> I would run a firewall even for BIND alone on a box in case the box
>> gets compromised through BIND. Allowing remote access and DNS, then
>> dropping everything else as the general firewall policy should be
>> pretty straightforward. But with the IP on this particular BIND box
>> being public, it's really like any other server on the internet. Port
>> forwarding or NAT in that case would be unnecessary.
> Do you mean a simple stateless ACL, or a stateful firewall? If you
> really mean a stateful firewall: Think about the effect of DNS
> queries - they are usually UDP based, and every new query is going
> to create state. Read up on state table exhaustion.

Absolutely right; I wrote this Linux-centric article about it:


It has not been updated to cover nftables.

Note also that this is a good reason NOT to use the NAT that
other posters have encouraged.

More information about the bind-users mailing list