DNS server πίσω από firewall?

Το πρόβλημα…

There are lots of badly constructed firewalls.

  • Some block source port != 53
  • Some block source port < 1024
  • Some block source port 1024-1030 (rpc ports)
  • Some block source port ~7000 (irc ports)

If you have a nameserver you should allow traffic to port 53
on the nameserver regardless of the source port. It should
also allow reply traffic to any destination port.

…ο σωστός τρόπος

With a first match firewall you should have rules like:

state-full firewall

  • check-state ; allow inbound replies
  • allow any to nameserver 53 in ; allow inbound queries
  • allow nameserver 53 to any out ; allow replies
  • allow any to any 53 out keep-state ; allow outbound queries
  • <put your general blocks here>

state-less firewall (query-source port 53)

  • allow tcp established
  • allow any to nameserver 53 in ; allow inbound queries and inbound replies
  • allow nameserver 53 to any out ; allow replies
  • allow udp any 53 to any 53 out ; allow outbound queries
  • <put your general blocks here>

If you are worried about too much state being kept with the state-full
firewall you can do it as a state-less firewall for the recursive
servers by inserting a rule like this before the keep-state rule

  • allow udp <recursive server> 53 to any 53 out

Bind has a built in list of ports for which it will not
responed to with error messages. It will also not reply
to responses.

(ref)

Advertisements

Συντάκτης: Sotiris Tsimbonis

I work as a Systems Administrator in Forthnet. All posts in this blog do NOT represent my employer's views.

1 thought on “DNS server πίσω από firewall?”

Σχολιάστε

Εισάγετε τα παρακάτω στοιχεία ή επιλέξτε ένα εικονίδιο για να συνδεθείτε:

Λογότυπο WordPress.com

Σχολιάζετε χρησιμοποιώντας τον λογαριασμό WordPress.com. Αποσύνδεση / Αλλαγή )

Φωτογραφία Twitter

Σχολιάζετε χρησιμοποιώντας τον λογαριασμό Twitter. Αποσύνδεση / Αλλαγή )

Φωτογραφία Facebook

Σχολιάζετε χρησιμοποιώντας τον λογαριασμό Facebook. Αποσύνδεση / Αλλαγή )

Φωτογραφία Google+

Σχολιάζετε χρησιμοποιώντας τον λογαριασμό Google+. Αποσύνδεση / Αλλαγή )

Σύνδεση με %s