On 2020-10-15 14:38, sth...@nethelp.no wrote:
I would run a firewall even for BIND alone on a box in case the box
gets compromised through BIND. Allowing remote access and DNS, then
dropping everything else as the general firewall policy should be
pretty straightforward. But with the IP on this particular BIND box
being public, it's really like any other server on the internet. Port
forwarding or NAT in that case would be unnecessary.
Do you mean a simple stateless ACL, or a stateful firewall? If you
really mean a stateful firewall: Think about the effect of DNS
queries - they are usually UDP based, and every new query is going
to create state. Read up on state table exhaustion.
Absolutely right; I wrote this Linux-centric article about it:
https://kb.isc.org/docs/aa-01183
It has not been updated to cover nftables.
Note also that this is a good reason NOT to use the NAT that
other posters have encouraged.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
