[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Paranoid question regarding Bind
- To: misc@openbsd.org
- Subject: Re: Paranoid question regarding Bind
- From: Rémi Guyomarch <rguyom@pobox.com>
- Date: Thu, 1 Nov 2001 16:26:55 +0100
- Content-Disposition: inline
- References: <Pine.BSO.4.33.0110311005180.26823-100000@campus.iztacala.unam.mx> <20011031181554.661a899a.steve@velosystems.net> <20011031195527.A2784@granitesky.com> <031001c162db$a6a44d70$6700a8c0@viper>
- User-Agent: Mutt/1.2.5i
On Thu, Nov 01, 2001 at 07:46:47AM -0600, SLaSH wrote:
> YES!
> 53!
>
> > #allow udp dns replies from @home servers
> > pass in quick on fxp0 proto tcp/udp from 24.5.156.15 to a.b.c.d
> port=53
> > pass in quick on fxp0 proto tcp/udp from 24.5.156.17 to a.b.c.d
> port=53
>
> I do not even allow tcp on port 53 since I don't do zone transfers AND I
> use the rules stateful. In other words:
> pass out quick on fxp0 proto tcp/udp from a.b.c.d to 24.5.156.17 port=53
> keep state
Well, I've a couple of problems with the above lines :
1) DNS via TCP is not limited to zone transfers
3) you're allowing TCP requests because of "proto tcp/udp"
3) it's not the right way to keep state on TCP
4) if you want to only forward requests to your ISP name server(s) be
sure to use "option forward-only", so your bind won't try to ask the
root name servers for example.
IMHO, the right way is :
pass out on fxp0 proto udp from a.b.c.d to isp-dns-srv1 port = 53 keep state
pass out on fxp0 proto tcp from a.b.c.d to isp-dns-srv1 port = 53 flags S keep state
pass out on fxp0 proto udp from a.b.c.d to isp-dns-srv2 port = 53 keep state
pass out on fxp0 proto tcp from a.b.c.d to isp-dns-srv2 port = 53 flags S keep state
--
Rémi