Re: DNS thru firewall
On Tue, May 08, 2001 at 09:45:39AM +0200, Lars Hallberg wrote:
> Hello again
>
> I have this in my fw roules to allow acces to a nameserver
> inside my net (it will be moved to a DMZ later).
>
> iptables -A FORWARD $v -i $INTER -o $INTRA -p udp
> --destination-port domain -d hygglo2.gdpc.se -j ACCEPT
I assume $INTER is your interface on the "Internet" side of the
firewall, $INTRA is the interface on the internal network and
hygglo2.gdpc.se is your DNS server on the internal network.
> (all the used domainame is specifide in /etc/hosts so the fw
> can go up before the net).
>
> It works as far as I can look up names from remote sites. But
> zone transfere dont seam to work and the dns server crached
> mysteriusly last night so something migt anoy it :-/
You need TCP port 53 for zone transfers (and also other large
DNS queries AFAIK.)
> Is there any more ports that needs to be open for a full
> working dns server? Is ther some kind of cookbook for what
> ports different services uses?
>
> I have got prety far by loking into /etc/services and guessing
> ;-) but it don't feel all that secure :-/
Just one thing to bear in mind... If your DNS server has a
remote root exploit, your firewall's not going to help one bit.
Make sure your DNS server is up to date, running as an
unprivileged user and possibly chrooted too.
--
Michael Wood | Tel: +27 21 762 0276 | http://www.kingsley.co.za/
wood@kingsley.co.za | Fax: +27 21 761 9930 | Kingsley Technologies
Reply to: