[EMAIL PROTECTED] wrote:
> Hi I am installing BIND 4 where in this set-up the firewall acts as a proxy for DNS
>queries. I was wondering what people did to secure bind......is there any way to
>stop queries coming from the outside world to the firewalls DNS?
>
> Strategies I thought of were:
> - get BIND to only sit on the inside interface: presumably since queries
> +are UDP this won't work? Anyway can't find a way to do it.
> - set-up a filter rule to stop packets from >1023 and use a forwarder
> +which is bind 4.
If you have a choice you'd better use BIND 8. It has configuration
options to listen on
specified interface and to allow queries only from specified IP
addresses. If you have
routing disabled and BIND listening only on inside interface, there is
no way to reach
it from outside, UDP or not.
Here is a part from BIND 8 config I use at firewall for proxying DNS
queries:
acl iip { // Internal firewall IP address
192.168.1.1;
};
acl inet { // Internal network
192.168.1.0/24;
};
acl insiders {
inet;
localhost;
};
options {
directory "/etc/namedb";
allow-query { //Allow queries from local host and internal
network
insiders;
};
allow-transfer { // Don't allow transfers
none;
};
listen-on { // Listen on internal interface and loopback
interface
iip;
127.0.0.1;
};
};
--
Alla Bezroutchko Systems Administrator
http://www.abb.aha.ru/ Sovlink LLC, Moscow, RU
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
