* Stefan Srdic (linuxbox@telusplanet.net) [010701 12:10]: > I'm running Woody at home and have installed and configured BIND 9 as a > caching-only nameserver. > > Basically, BIND is configured to listen for DNS queries on my localhost > and the local network. I also have BIND configured to use my ISP's > nameservers as forwaders if it does not contain the resolving > information in the cache. Finally, the daemon is also limited to query > source port 53 for easy compliance with Netfilter. > You shouldn't need to do this; in fact it sounds less secure. What you probably should do is not use a query source port statement in your named.conf. This way your queries will go out on a high (1024-65535) port like any other outgoing network queries. These will most likely already be allowed by your firewall (if you want any other localnet clients to access outside, they'd better be) and you can then safely and rightly block access to port 53 from the external interface on your machine. This way is pragmatically equivalent (from the outside's point of view) to not running bind at all: they'll have no access to it; the only DNS queries they'll see may just as well be coming from internal hosts rather than your caching nameserver. Vineet
Attachment:
pgpYS6t9v_8j6.pgp
Description: PGP signature