All of lore.kernel.org
 help / color / mirror / Atom feed
* Rules for DNS
@ 2004-01-29 15:25 David C. Hart
  2004-01-29 15:39 ` Antony Stone
                   ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: David C. Hart @ 2004-01-29 15:25 UTC (permalink / raw)
  To: Iptables Mailing List

[-- Attachment #1: Type: text/plain, Size: 494 bytes --]

I am terribly confused about what I need to accept and reject and the
associated IPTables rules for Bind to work properly without exposing our
server to exploits. Right now, I'm pretty much accepting all traffic to
and from port 53 and that's "probably" not a good thing. I'm running
IPtables on the same machine running Bind.

Can someone point me in the right direction?

Thanks.
                               ---------
            Quality Management - A Commitment to Excellence

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Rules for DNS
  2004-01-29 15:25 Rules for DNS David C. Hart
@ 2004-01-29 15:39 ` Antony Stone
  2004-01-29 15:39 ` Maciej Soltysiak
  2004-01-29 15:47 ` Alexis
  2 siblings, 0 replies; 5+ messages in thread
From: Antony Stone @ 2004-01-29 15:39 UTC (permalink / raw)
  To: Iptables Mailing List

On Thursday 29 January 2004 3:25 pm, David C. Hart wrote:

> I am terribly confused about what I need to accept and reject and the
> associated IPTables rules for Bind to work properly without exposing our
> server to exploits. Right now, I'm pretty much accepting all traffic to
> and from port 53 and that's "probably" not a good thing. I'm running
> IPtables on the same machine running Bind.
>
> Can someone point me in the right direction?

Allow traffic to TCP & UDP ports 53 on your DNS server, but secure it in 
/etc/named.conf using the info at http://www.isc.org under BIND - hint: stop 
people from doing zone transfers or domain updates.

Antony.

-- 
I want to build a machine that will be proud of me.

 - Danny Hillis, creator of The Connection Machine

                                                     Please reply to the list;
                                                           please don't CC me.



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Rules for DNS
  2004-01-29 15:25 Rules for DNS David C. Hart
  2004-01-29 15:39 ` Antony Stone
@ 2004-01-29 15:39 ` Maciej Soltysiak
  2004-01-29 15:47 ` Alexis
  2 siblings, 0 replies; 5+ messages in thread
From: Maciej Soltysiak @ 2004-01-29 15:39 UTC (permalink / raw)
  To: Iptables Mailing List

> I am terribly confused about what I need to accept and reject and the
> associated IPTables rules for Bind to work properly without exposing our
> server to exploits. Right now, I'm pretty much accepting all traffic to
> and from port 53 and that's "probably" not a good thing. I'm running
> IPtables on the same machine running Bind.

> Can someone point me in the right direction?
Well, all DNS servers use udp/53 for queries and replies,
when the reply is over 512 bytes, tcp/53 is used.
tcp/53 is also used for zone transfers.

Bind also uses port 953 for remote control.

No matter if you are using a caching server or a master or slave
server, you need 53 od both udp and tcp.

Advisories about filtering tcp/53 traffic to prevent zone
transfers is crazy. You just allow zone transfers to trusted
hosts and deny to everyone else by DNS configuration.

If you are using one DNS server, port 953 is used only on localhost.
So, give udp/53 and tcp/53 to everybody you want to use your
nameserver. If it is a caching server, allow only trusted IPs
and strenghten your named configuration to allow only trusted IPs
also.
If it is a master or slave server for public Internet zones,
you want everybody to be able to ask the server for DNS resources,
so Open udp/53 and tcp/53 to everybody.

Limit tcp/953 to localhost only if this server is not to be
remotely controlled.

The simple thought is this:
In case of DNS use a firewall only to decide who should and who
should not access the service.
For security turn to trusted software known to be stable and
secure, and good configuration of the daemon.


Regards,
Maciej



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Rules for DNS
  2004-01-29 15:25 Rules for DNS David C. Hart
  2004-01-29 15:39 ` Antony Stone
  2004-01-29 15:39 ` Maciej Soltysiak
@ 2004-01-29 15:47 ` Alexis
  2004-01-30 12:58   ` Krzysztof Mazurczyk
  2 siblings, 1 reply; 5+ messages in thread
From: Alexis @ 2004-01-29 15:47 UTC (permalink / raw)
  To: netfilter

DNS's uses udp/53 for querys and tcp/53 for zone transfers
tcp/53 is used for querys too if it exceeds 512 bytes.

M$ Windows uses tcp and udp for querys, without look the size, so for
mswin to work, you need to open both ports.

be extremely carefull if you are natting the dns server.



On Thu, 2004-01-29 at 12:25, David C. Hart wrote:
> I am terribly confused about what I need to accept and reject and the
> associated IPTables rules for Bind to work properly without exposing our
> server to exploits. Right now, I'm pretty much accepting all traffic to
> and from port 53 and that's "probably" not a good thing. I'm running
> IPtables on the same machine running Bind.
> 
> Can someone point me in the right direction?
> 
> Thanks.
>                                ---------
>             Quality Management - A Commitment to Excellence
-- 
Alexis <alexis@attla.net.ar>



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Rules for DNS
  2004-01-29 15:47 ` Alexis
@ 2004-01-30 12:58   ` Krzysztof Mazurczyk
  0 siblings, 0 replies; 5+ messages in thread
From: Krzysztof Mazurczyk @ 2004-01-30 12:58 UTC (permalink / raw)
  To: netfilter

On Thu, 29/Jan/04 12:47:13, Alexis wrote:
> 
> be extremely carefull if you are natting the dns server.
> 
May I ask why?

Regards,
Chris



^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2004-01-30 12:58 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-01-29 15:25 Rules for DNS David C. Hart
2004-01-29 15:39 ` Antony Stone
2004-01-29 15:39 ` Maciej Soltysiak
2004-01-29 15:47 ` Alexis
2004-01-30 12:58   ` Krzysztof Mazurczyk

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.