On Sun, Feb 04, 2001 at 09:53:48PM +0100, Gustav Schaffter wrote:
> Michael,
> I run a caching DNS and it's of course authoritative for my internal
> private network. (Where I use the .home TLD. Shouldn't get any requests
> for that domain, I believe.)
Hmmm... Probably true... I'll have to think about that a bit.
> "Michael H. Warfield" wrote:
> <multiple snips>
> > > Any idea of why I get so many packets on port 53? DENY'd so far, but...
> > TCP or UDP? Both are used by DNS but for generally different tasks.
> The traffic I'm receiving is udp.
Ok... So normal DNS traffic.
> > You should not be seeing TCP traffic on 53 unless requests are
> > larger than what can be handled in a single UDP packet. Those are
> > typically zone transfers and you probably don't want that.
> Is there anywhere I can restrict who can request a zone transfer? (I do
> run a secondary DNS in my little network. ;-)
Yes...
You don't say what version Bind you are running but I would assume
(hope) it's at least Bind 8.2.3. There are security advisories out on
anything and everything less. (Well Bind 4.9.8 is said to be safe but
4.x is deprecated and nobody should be using it anyways).
In Bind 8.x and Bind 9.x you restrict who can request a zone
transfer with the "allow-transfer" stanza in the configuration file.
Here's an example from the O'Reilly Book "DNS and BIND" (3rd ed,
p 252):
zone "acmebw.com" {
type master;
file "db.acmebw";
allow-transfer {
192.168.0.1;
192.168.1.1;
};
};
> If I understand your reasoning I should probably accept all incoming udp
> from port 53 to any unprivileged port, no matter what the source address
> is?
Probably. You can also set up your name servers to be "forwarding
only". That way they will ONLY ever talk to their forwarding servers and
never try to contact other name servers on their own. That's described on
page 246 of the same book above. You would use something like this:
options {
forwarders {
192.249.249.1;
192.249.249.3;
};
forward-only;
}
That tightens the restrictions on where your name server will go
with a request and will limit DNS communications between it and the
specified forwarders only. Then you just limit your clients to only
talk to your restricted forwarding-only name server (by only putting that
address in the resolve.conf files) and you should be set.
> Regards
> Gustav
> --
> pgp = Pretty Good Privacy.
>
> To get my public pgp key, send an e-mail to: [EMAIL PROTECTED]
>
> Visit my web site at http://www.schaffter.com
Mike
--
Michael H. Warfield | (770) 985-6132 | [EMAIL PROTECTED]
(The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
