On Mar 15, 2011, at 11:08 AM, Martin McCormick wrote:
> Is there a recommended set of firewall rules that insure that all
> necessary DNS traffic can enter and leave, even the larger
> packets that result from dns-sec?

# allow UDP DNS queries out to the world, and in to your nameservers
## It's faster to do this stateless, and reduces DoS risk against the firewall,
## but you are exposing your network to UDP port scans from source port 53
## (if you have other open UDP ports).  If you want to be stateful, switch to:
##   add pass udp from any to $NAMESERVER_IP 53 keep-state
##   add pass udp from $YOURNET to any 53 keep-state

add pass udp from any to $NAMESERVER_IP 53
add pass udp from $NAMESERVER_IP 53 to any
add pass udp from $YOURNET 53,1024-65535 to any 53
add pass udp from any 53 to $YOURNET 53,1024-65535

# allow TCP DNS outbound and inbound only to nameserver boxes
## Likewise, you can add keep-state if you want to be stateful;
## in which case the established line can be removed.
add pass tcp from any to any established
add pass tcp from $YOURNET to any 53 setup
add pass tcp from any to $NAMESERVER_IP 53 setup


For something like a Cisco PIX/ASA, you probably want "no fixup protocol dns" 
to avoid breaking EDNS, but "fixup protocol dns maximum-length 4096" might be a 
workable alternative.


bind-users mailing list

Reply via email to