On Sun, 6 Jun 1999, Dave Wreski wrote:
> Hi all. I'm using Linux and ipchains as a packet filter for my firewall.
> I'd like to protect my external DNS server from being used to do
> unauthorized zone transfers, as well as unauthorized queries.
Using a version of BIND 8.*, all of this is now configurable. You can
define networks and give per-network permissions. You can also staticly
define the source port for queries outbound from the server. Back it up
with filter rules, but the first thing you should be doing is application
level security.
> Under what circumstances do I need TCP? Only for zone transfers?
If UDP fails, TCP gets tried next. I think it also gets tried for large
result sets. bind-workers would probably be the best authoritative
source for questions. "Ask Mr. DNS" at Acme Byte and Wire is pretty good
too though. http://www.acmebw.com/ - there's a "browse all the answers"
feature that's fairly handy.
> So far, I have UDP domain to domain for the two secondaries on the
> Internet. I noticed that if I allow UDP >1023 to domain, I allow Internet
> hosts to use my nameserver to look up hosts other than in my domain.
This has to do with query recursion. If you don't need to do recursive
queries, turn them off. If you need to restrict them, then use BIND 8's
access lists. If you're authoritative, you can't guarentee that external
nameservers won't query you from >1023, so you'll drop legitimate traffic
that way.
Shore up the application's security first, then start looking beyond it.
BIND 8 added a lot of the security stuff we've all been whining about
for years from version masking to per-network access control to
configurable logging (thank goodness- having to recompile to switch
logging sucked.) That feature set should ideally be your first line of
defense.
I'll admit to being slightly confused when you say you want to use your
firewall to protect your external nameserver. Are you saying the
nameserver is on the internal network? That's probably a less-than-ideal
topology choice from a security perspective if so. If it's off of a
third service network that's not so bad, but IMO you'd be doing just as
well to add the filtering rules to the DNS machine itself along with the
application rules. Physical access or encrypted access are the only ways
I'd let administrators in to the DNS. Core infrastructure should be
closely guarded. DNS qualifies as core infrastructure.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
