On Sun, 4 Feb 2001, Michael H. Warfield spewed into the bitstream:
MHW>On Sun, Feb 04, 2001 at 09:53:48PM +0100, Gustav Schaffter wrote:
MHW>> Michael,
MHW>
MHW>> I run a caching DNS and it's of course authoritative for my internal
MHW>> private network. (Where I use the .home TLD. Shouldn't get any requests
MHW>> for that domain, I believe.)
MHW>
MHW> Hmmm... Probably true... I'll have to think about that a bit.
MHW>
MHW>> "Michael H. Warfield" wrote:
MHW>> <multiple snips>
MHW>
MHW>> > > Any idea of why I get so many packets on port 53? DENY'd so far, but...
MHW>
MHW>> > TCP or UDP? Both are used by DNS but for generally different tasks.
MHW>
MHW>> The traffic I'm receiving is udp.
MHW>
MHW> Ok... So normal DNS traffic.
MHW>
MHW>> > You should not be seeing TCP traffic on 53 unless requests are
MHW>> > larger than what can be handled in a single UDP packet. Those are
MHW>> > typically zone transfers and you probably don't want that.
MHW>
MHW>> Is there anywhere I can restrict who can request a zone transfer? (I do
MHW>> run a secondary DNS in my little network. ;-)
MHW>
MHW> Yes...
MHW>
MHW> You don't say what version Bind you are running but I would assume
MHW>(hope) it's at least Bind 8.2.3. There are security advisories out on
MHW>anything and everything less. (Well Bind 4.9.8 is said to be safe but
MHW>4.x is deprecated and nobody should be using it anyways).
MHW>
MHW> In Bind 8.x and Bind 9.x you restrict who can request a zone
MHW>transfer with the "allow-transfer" stanza in the configuration file.
MHW>
MHW> Here's an example from the O'Reilly Book "DNS and BIND" (3rd ed,
MHW>p 252):
MHW>
MHW>zone "acmebw.com" {
MHW> type master;
MHW> file "db.acmebw";
MHW> allow-transfer {
MHW> 192.168.0.1;
MHW> 192.168.1.1;
MHW> };
MHW>};
MHW>
MHW>> If I understand your reasoning I should probably accept all incoming udp
MHW>> from port 53 to any unprivileged port, no matter what the source address
MHW>> is?
MHW>
MHW> Probably. You can also set up your name servers to be "forwarding
MHW>only". That way they will ONLY ever talk to their forwarding servers and
MHW>never try to contact other name servers on their own. That's described on
MHW>page 246 of the same book above. You would use something like this:
MHW>
MHW>options {
MHW> forwarders {
MHW> 192.249.249.1;
MHW> 192.249.249.3;
MHW> };
MHW> forward-only;
MHW>}
MHW>
MHW> That tightens the restrictions on where your name server will go
MHW>with a request and will limit DNS communications between it and the
MHW>specified forwarders only. Then you just limit your clients to only
MHW>talk to your restricted forwarding-only name server (by only putting that
MHW>address in the resolve.conf files) and you should be set.
Here's some more sample stuff to help out:
// BIND configuration file
// created by Chuck Mead on 31 Aug 00
// last edited 3 Feb 2001
options {
version "Not today!";
directory "/var/named";
pid-file "/var/named/named.pid";
statistics-interval 0;
interface-interval 0;
};
acl "secondary" {
127.0.0.0/8;
xxx.xxx.xxx.xxx/32;
xxx.xxx.xxx.xxx/32;
};
logging {
category lame-servers { null; };
};
zone "mysample.com" {
type master;
file "primary/db.mysample";
allow-query { any; };
allow-update { none; };
allow-transfer { secondary; };
};
--
Chuck Mead, Owner, MoonGroup.com
[EMAIL PROTECTED] (Note: all html email sent to me is deleted unread)
GnuPG Public Key Available: http://wwwkeys.us.pgp.net
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
