Re: Using BIND in a chroot enviro?
>>Recently I have been receiving several weird netfilter logs
complaining
>>about denied DNS queries
>Um, how's netfilter telling you this?
This is the basic chain that I have created for DNS. I have tested it
and have found it to work perfectly (in my opinion, anyway).
# Domain Name Service
# allow our caching-only nameserver to forward queries to our ISP's
# nameservers and to listen to our local net for internal queries
# Permit incomming and outgoing DNS queries from the localhost
iptables -A DNS -i $LOOPBACK -s $LOCALHOST -j ACCEPT
iptables -A DNS -o $LOOPBACK -d $LOCALHOST -j ACCEPT
# Permit incomming and outgoing DNS queries from our LAN
iptables -A DNS -i $LANIFACE -s $LAN -j ACCEPT
iptables -A DNS -o $LANIFACE -d $LAN -j ACCEPT
# Permit incomming and outgoing datagrams from and to
# our ISP's nameservers
iptables -A DNS -i $EXTIFACE -s $PRINAME -j ACCEPT
iptables -A DNS -i $EXTIFACE -s $SECNAME -j ACCEPT
iptables -A DNS -o $EXTIFACE -d $PRINAME -j ACCEPT
iptables -A DNS -o $EXTIFACE -d $SECNAME -j ACCEPT
# All filtering is done, Log N Drop all other DNS datagrams
iptables -A DNS -j LOGNDROP
The logs that I am receiving look like this, only the IP is usually
different from log to log:
Jun 28 15:39:25 NodeFilter kernel: Denied UDP: IN= OUT=eth0
SRC=xxx.xxx.xxx.xxx
DST=192.5.5.241 LEN=67 TOS=0x00 PREC=0x00 TTL=32 ID=0 DF PROTO=UDP
SPT=53 DPT=53
clear LEN=47
Seems to me that I am receiving a lot of odd ball DNS queries going out.
It could be named queriying the master name servers or maybe I'm just
paranoid :-D
>>Where could I find any relative information on running BIND in a
chroot
>>jail on Debian?
I actually found a link over at Psionic software:
http://www.psionic.com/papers/dns
and another over at LinuxDoc.org
http://www.linuxdoc.org/HOWTO/Chroot-BIND-HOWTO.html
I'll be attempting to create a chroot jail for named later on tonight,
I'll let you know how it turns out,
Stef
Reply to: