On Tue, Aug 22, 2000 at 10:19:52PM +1000, Michael Fox said:
--> Hi,
--> The machine hosts several domains, so I have to make sure that named will
--> communicate to the outside world to do zone-xfers.
--> So could someone be so kind to put me out of my pain and show me how they
--> have done the the dns bit, especially when using a default input policy of
--> REJECT.
--> I need to open up the right ports/protocols to allow nslookup to work and
--> also zone-xfers to the secdonary.
Hi Michael,
I've got basically the same policy setup on a remote box which lives at mum's in
Central Vic..
BIND usually uses udp for doing dns lookups, but when doing zone transfers, or if the
results of the lookup exceed the size of a udp packet, it will revert to tcp. You
need to allow in tcp and udp to port 53 of your dns server - something like the
following:
# Allow DNS would help somewhat
## In to ns1
/sbin/ipchains -I input -j ACCEPT -p tcp -d 203.37.84.82 53
/sbin/ipchains -I input -j ACCEPT -p udp -d 203.37.84.82 53
/sbin/ipchains -I input -j ACCEPT -p tcp -s 0/0 53 -d 203.37.84.82
/sbin/ipchains -I input -j ACCEPT -p udp -s 0/0 53 -d 203.37.84.82
You'll also want to make sure your named is bound to port 53 for it's query-source -
otherwise it'll pick a random source port, and make it nigh on impossible to do your
firewall rules to allow it back in..
# Put this in your named.conf
query-source address 203.37.84.82 port 53;
Oh yeah, and replace 203.37.84.82 with the IP of your dns server.. :)
Regards,
Damien Gardner Jnr - Dip.EE StudIEAust
[EMAIL PROTECTED] - http://www.rendrag.net/
Ph: 0417 055 052 - Fax: 02 6299 9713
-- Can I trade this job for what's behind door # 2?
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug
