Folks,
If I implement packet filters on my firewall to allow DNS queries to enter,
should I be concerned about packets with both the source _and_ destination
ports set to 53? I'm curious if it's valid for a DNS server to use 53 as
the source port, since the config for the newer bind has the following
directive:
query-source address * port 53;
Which according to the notes in the named.conf, tells bind to use 53 as the
source port, and goes on to mention that older versions of bind (< 8.1)
used 53 as the source port.
So, should I be allowing these packets in? Are there caveats I should be
aware of (I've presently got tcp and udp rules, and bind is configured to
only allow zone transfer requests from our ISP's name servers)? Would it
be prudent to create two sets of rules: one set to allow queries with a
source port of 53, and one set to allow queries with a source port of
1024:65535, or should I really not care what source port the packets come
in with, as long as they're destined for port 53 on my server?
Cheers!
Jon
-----------------------------------------------------------------
Jon Earle (613) 612-0946 (Cell)
HUB Computer Consulting Inc. (613) 830-1499 (Office)
http://www.hubcc.ca 1-888-353-7272 (Within Canada/US)
"God does not subtract from one's alloted time on Earth,
those hours spent flying." --Unknown
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
