[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: DNS thru firewall

On Tue, May 08, 2001 at 09:45:39AM +0200, Lars Hallberg wrote:
> Hello again
> I have this in my fw roules to allow acces to a nameserver
> inside my net (it will be moved to a DMZ later). 
> iptables -A FORWARD $v -i $INTER -o $INTRA -p udp
> --destination-port domain -d hygglo2.gdpc.se -j ACCEPT

I assume $INTER is your interface on the "Internet" side of the
firewall, $INTRA is the interface on the internal network and
hygglo2.gdpc.se is your DNS server on the internal network.

> (all the used domainame is specifide in /etc/hosts so the fw
> can go up before the net).
> It works as far as I can look up names from remote sites. But
> zone transfere dont seam to work and the dns server crached
> mysteriusly last night so something migt anoy it :-/

You need TCP port 53 for zone transfers (and also other large
DNS queries AFAIK.)

> Is there any more ports that needs to be open for a full
> working dns server? Is ther some kind of cookbook for what
> ports different services uses?
> I have got prety far by loking into /etc/services and guessing
> ;-) but it don't feel all that secure :-/

Just one thing to bear in mind...  If your DNS server has a
remote root exploit, your firewall's not going to help one bit.
Make sure your DNS server is up to date, running as an
unprivileged user and possibly chrooted too.

Michael Wood        | Tel: +27 21 762 0276 | http://www.kingsley.co.za/
wood@kingsley.co.za | Fax: +27 21 761 9930 | Kingsley Technologies

Reply to: