* Rules for DNS
@ 2004-01-29 15:25 David C. Hart
2004-01-29 15:39 ` Antony Stone
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: David C. Hart @ 2004-01-29 15:25 UTC (permalink / raw)
To: Iptables Mailing List
[-- Attachment #1: Type: text/plain, Size: 494 bytes --]
I am terribly confused about what I need to accept and reject and the
associated IPTables rules for Bind to work properly without exposing our
server to exploits. Right now, I'm pretty much accepting all traffic to
and from port 53 and that's "probably" not a good thing. I'm running
IPtables on the same machine running Bind.
Can someone point me in the right direction?
Thanks.
---------
Quality Management - A Commitment to Excellence
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Rules for DNS
2004-01-29 15:25 Rules for DNS David C. Hart
@ 2004-01-29 15:39 ` Antony Stone
2004-01-29 15:39 ` Maciej Soltysiak
2004-01-29 15:47 ` Alexis
2 siblings, 0 replies; 5+ messages in thread
From: Antony Stone @ 2004-01-29 15:39 UTC (permalink / raw)
To: Iptables Mailing List
On Thursday 29 January 2004 3:25 pm, David C. Hart wrote:
> I am terribly confused about what I need to accept and reject and the
> associated IPTables rules for Bind to work properly without exposing our
> server to exploits. Right now, I'm pretty much accepting all traffic to
> and from port 53 and that's "probably" not a good thing. I'm running
> IPtables on the same machine running Bind.
>
> Can someone point me in the right direction?
Allow traffic to TCP & UDP ports 53 on your DNS server, but secure it in
/etc/named.conf using the info at http://www.isc.org under BIND - hint: stop
people from doing zone transfers or domain updates.
Antony.
--
I want to build a machine that will be proud of me.
- Danny Hillis, creator of The Connection Machine
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Rules for DNS
2004-01-29 15:25 Rules for DNS David C. Hart
2004-01-29 15:39 ` Antony Stone
@ 2004-01-29 15:39 ` Maciej Soltysiak
2004-01-29 15:47 ` Alexis
2 siblings, 0 replies; 5+ messages in thread
From: Maciej Soltysiak @ 2004-01-29 15:39 UTC (permalink / raw)
To: Iptables Mailing List
> I am terribly confused about what I need to accept and reject and the
> associated IPTables rules for Bind to work properly without exposing our
> server to exploits. Right now, I'm pretty much accepting all traffic to
> and from port 53 and that's "probably" not a good thing. I'm running
> IPtables on the same machine running Bind.
> Can someone point me in the right direction?
Well, all DNS servers use udp/53 for queries and replies,
when the reply is over 512 bytes, tcp/53 is used.
tcp/53 is also used for zone transfers.
Bind also uses port 953 for remote control.
No matter if you are using a caching server or a master or slave
server, you need 53 od both udp and tcp.
Advisories about filtering tcp/53 traffic to prevent zone
transfers is crazy. You just allow zone transfers to trusted
hosts and deny to everyone else by DNS configuration.
If you are using one DNS server, port 953 is used only on localhost.
So, give udp/53 and tcp/53 to everybody you want to use your
nameserver. If it is a caching server, allow only trusted IPs
and strenghten your named configuration to allow only trusted IPs
also.
If it is a master or slave server for public Internet zones,
you want everybody to be able to ask the server for DNS resources,
so Open udp/53 and tcp/53 to everybody.
Limit tcp/953 to localhost only if this server is not to be
remotely controlled.
The simple thought is this:
In case of DNS use a firewall only to decide who should and who
should not access the service.
For security turn to trusted software known to be stable and
secure, and good configuration of the daemon.
Regards,
Maciej
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Rules for DNS
2004-01-29 15:25 Rules for DNS David C. Hart
2004-01-29 15:39 ` Antony Stone
2004-01-29 15:39 ` Maciej Soltysiak
@ 2004-01-29 15:47 ` Alexis
2004-01-30 12:58 ` Krzysztof Mazurczyk
2 siblings, 1 reply; 5+ messages in thread
From: Alexis @ 2004-01-29 15:47 UTC (permalink / raw)
To: netfilter
DNS's uses udp/53 for querys and tcp/53 for zone transfers
tcp/53 is used for querys too if it exceeds 512 bytes.
M$ Windows uses tcp and udp for querys, without look the size, so for
mswin to work, you need to open both ports.
be extremely carefull if you are natting the dns server.
On Thu, 2004-01-29 at 12:25, David C. Hart wrote:
> I am terribly confused about what I need to accept and reject and the
> associated IPTables rules for Bind to work properly without exposing our
> server to exploits. Right now, I'm pretty much accepting all traffic to
> and from port 53 and that's "probably" not a good thing. I'm running
> IPtables on the same machine running Bind.
>
> Can someone point me in the right direction?
>
> Thanks.
> ---------
> Quality Management - A Commitment to Excellence
--
Alexis <alexis@attla.net.ar>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Rules for DNS
2004-01-29 15:47 ` Alexis
@ 2004-01-30 12:58 ` Krzysztof Mazurczyk
0 siblings, 0 replies; 5+ messages in thread
From: Krzysztof Mazurczyk @ 2004-01-30 12:58 UTC (permalink / raw)
To: netfilter
On Thu, 29/Jan/04 12:47:13, Alexis wrote:
>
> be extremely carefull if you are natting the dns server.
>
May I ask why?
Regards,
Chris
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2004-01-30 12:58 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-01-29 15:25 Rules for DNS David C. Hart
2004-01-29 15:39 ` Antony Stone
2004-01-29 15:39 ` Maciej Soltysiak
2004-01-29 15:47 ` Alexis
2004-01-30 12:58 ` Krzysztof Mazurczyk
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.