Re: Secure DNS setup

Jim Breton Tue, 01 May 2001 21:03:52 -0700
On Wed, Apr 25, 2001 at 02:02:57PM -0500, Eliyah Lovkoff wrote:
> My DNS server resides on LAN network(not on DMZ).This DNS server acts a s a
> forwarder to the DNS servers on the ISP site.
> I want to secure DNS communications but I'm not sure what is the way to set
> it up...
> 
> First scenario:
> ANY > Internal_DNS > domain-udp > Accept
> Internal_DNS > ANY >domain-udp > Accept
> 
> 1. Is it a correct way to secure DNS communication or is there anything else
> that must be done?

Depends on what you mean by "secure."  Do you mean relatively
unspoofable and uncrackable, or do you mean "cryptographically secure?"

If the former, you would do well to use djbdns:
http://cr.yp.to/djbdns.html

If the latter, then use [djbdns and] IPSec.


> 2. Should I replace ANY with DNS addresses of ISP servers,thus restricting
> DNS communications to communications between mu DMS and ISP's DNS server?
> 3. Should I include domain-tcp also to be able to perform zone transfers
> between my dns and ISP's?

I'm afraid I'm not clear on what exactly you are doing.

Do you just need a caching DNS server for your own networks, or do you
also wish to host your own domains' authoritative records?

If the former, you need to allow inbound packets to high udp ports from
source udp port 53 in order to receive remote DNS servers' replies to
your queries; you should also allow non-SYN tcp responses with the same
port specifications for those few cases where your dns clients will have
to re-try queries over TCP, and for zone transfers.

If the latter, then you need to do the above _as well as_ allow inbound
53/udp.  Whether you allow inbound 53/tcp depends on your records and
whether you need to allow zone transfers.  As someone else has already
noted, "it's not just for zone transfers."  However if your DNS replies
are <= 512 bytes then clients won't need to re-try over tcp.  IOW, most
sites don't need to allow TCP queries... YMMV though.

(See also: http://cr.yp.to/djbdns/faq/tinydns.html#tcp )


This page may also help clarify things (thanks Jonathan):

http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-server-roles.html
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
Re: Secure DNS setup

Reply via email to
