[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Securing bind..

Jor-el wrote:
> > Another possibility is to have the port for outgoing connections be something 
> > other than 53 (54 seems unused) and use iptables or ipchains to block data 
> > from the outside world coming to port 53.
> 	Of course, in the case of DNS servers, you could be OK, since you
> do want to lessen the number of folks who use your services (right?). But
> in general, I consider this to be poor advice.

  That is perfectly true.

  In fact, restricting access to the (recursive) nameserver should be
  considered not only in a matter of IP filtering but also in BIND's own
  configuration (using allow-query and allow-recursion sets).

  Authoritative name serving is a totally different matter, since you
  can not predict the source adress.

Thomas Seyrat.

Reply to: