Re: Securing bind..
Jor-el wrote:
> > Another possibility is to have the port for outgoing connections be something
> > other than 53 (54 seems unused) and use iptables or ipchains to block data
> > from the outside world coming to port 53.
[...]
> Of course, in the case of DNS servers, you could be OK, since you
> do want to lessen the number of folks who use your services (right?). But
> in general, I consider this to be poor advice.
That is perfectly true.
In fact, restricting access to the (recursive) nameserver should be
considered not only in a matter of IP filtering but also in BIND's own
configuration (using allow-query and allow-recursion sets).
Authoritative name serving is a totally different matter, since you
can not predict the source adress.
--
Thomas Seyrat.
Reply to: