DNS server πίσω από firewall?

Το πρόβλημα…

There are lots of badly constructed firewalls.

Some block source port != 53

Some block source port < 1024

Some block source port 1024-1030 (rpc ports)

Some block source port ~7000 (irc ports)

If you have a nameserver you should allow traffic to port 53
on the nameserver regardless of the source port. It should
also allow reply traffic to any destination port.

…ο σωστός τρόπος

With a first match firewall you should have rules like:

state-full firewall

check-state ; allow inbound replies

allow any to nameserver 53 in ; allow inbound queries

allow nameserver 53 to any out ; allow replies

allow any to any 53 out keep-state ; allow outbound queries

<put your general blocks here>

state-less firewall (query-source port 53)

allow tcp established

allow any to nameserver 53 in ; allow inbound queries and inbound replies

allow nameserver 53 to any out ; allow replies

allow udp any 53 to any 53 out ; allow outbound queries

<put your general blocks here>

If you are worried about too much state being kept with the state-full
firewall you can do it as a state-less firewall for the recursive
servers by inserting a rule like this before the keep-state rule

allow udp <recursive server> 53 to any 53 out

Bind has a built in list of ports for which it will not
responed to with error messages. It will also not reply
to responses.

(ref)

One Reply to “DNS server πίσω από firewall?”

Σχολιάστε Ακύρωση απάντησης

Γράψτε το σχόλιο σας εδώ....

Εισάγετε τα παρακάτω στοιχεία ή επιλέξτε ένα εικονίδιο για να συνδεθείτε:

Ηλ. διεύθυνση (απαιτείται) Δεν θα εμφανιστεί δημόσια.

Όνομα (απαιτείται)

Ιστότοπος

Σχολιάζετε χρησιμοποιώντας τον λογαριασμό WordPress.com. ( Αποσύνδεση / Αλλαγή )

Σχολιάζετε χρησιμοποιώντας τον λογαριασμό Twitter. ( Αποσύνδεση / Αλλαγή )

Σχολιάζετε χρησιμοποιώντας τον λογαριασμό Facebook. ( Αποσύνδεση / Αλλαγή )

Ακύρωση

Σύνδεση με %s

follow me on twitter

RT @hsoc: Merry Christmas @hellasdirect 🎅🎄 https://t.co/V7xxbjw9YS 1 year ago

RT @bad_packets: It's not DNS There's no way it's DNS It was DNS twitter.com/BleepinCompute… 1 year ago

RT @PowerDNS_Bert: Dear EU: Cyber security is important, but please don’t #RuinTheRoot by regulating the non-essential entities that run th… 1 year ago

RT @_argp: BugTraq Shutdown, end of an era: "At this time, resources for the BugTraq mailing list have not been prioritized, and this will… 2 years ago

RT @jpmens: IT WASN’T DNS twitter.com/atoonk/status/… 2 years ago

RT @fanf: “For the first time, nginx is in use by more web-facing computers than any other web server, including Apache” https://t.co/rscQy… 2 years ago

RT @skaragiannis: In case you missed it https://t.co/X3FUqYZYqZ 2 years ago

RT @QuinnyPig: The best part about this question is that (aside from the third answer's "single digit millisecond latency") I can make it d… 3 years ago

RT @ripencc: Today, at 15:35, we made our final /22 IPv4 allocation from the last remaining addresses in our available pool. We have now ru… 3 years ago

RT @hellasdirect: Sotiris Tsimbonis, our infrastructure and automation lead, has been with us from day 1. Today, we are proud to see him ex… 3 years ago

Follow @stsimb

Linux Weekly News

X.org vulnerability and releases

The X.Org project has announced a vulnerability in its X server and Xwayland (CVE-2023-1393). This issue can lead to local privileges elevation on systems where the X server is running privileged and remote code execution for ssh X forwarding sessions. [...] If a client explicitly destroys the compositor overlay window (aka COW), the Xserver would leave a da […]

jake

[$] The trouble with MODULE_LICENSE() in non-modules

The kernel's hierarchical maintainer model works quite well from the standpoint of allowing thousands of developers to work together without (often) stepping on each others' toes. But that model can also make life painful for developers who are trying to make changes across numerous subsystems. Other possible source of pain include changes related […]

corbet

Stable kernels 6.2.9, 6.1.22, 5.15.105, and 5.4.239

Greg Kroah-Hartman has announced the release of the 6.2.9, 6.1.22, 5.15.105, and 5.4.239 stable kernels. The latter (5.4.239) has single patch to fix the permissions of a selftest file, while the other three have a lengthy list of important fixes throughout the kernel tree.

jake

Security updates for Thursday

Security updates have been issued by Debian (xorg-server and xrdp), Fedora (mingw-python-certifi, mingw-python3, mingw-zstd, moodle, python-cairosvg, python-markdown-it-py, redis, xorg-x11-server, and yarnpkg), Slackware (mozilla and xorg), SUSE (grub2, ldb, samba, libmicrohttpd, python-Werkzeug, rubygem-rack, samba, sudo, testng, tomcat, webkit2gtk3, xorg-x […]

jake

[$] LWN.net Weekly Edition for March 30, 2023

The LWN.net Weekly Edition for March 30, 2023 is available.

corbet

[$] Rebecca Giblin on chokepoint capitalism

The fourth and final keynote for Everything Open 2023 was given by Professor Rebecca Giblin of the Melbourne Law School, University of Melbourne. It revolved around her recent book, Chokepoint Capitalism, which she wrote with Cory Doctorow; it is "a book about why creative labor markets are rigged — and how to unrig them". Giblin had planned to be […]

jake

[$] OpenSUSE MicroOS Desktop: a Flatpak-based immutable distribution

Immutable Linux distributions are on the rise recently, with multiple popular distributions creating their own immutable versions; it could be one of the trends of 2023, as predicted. While many of these immutable distributions are focused on server use, there are also some that offer a desktop experience. OpenSUSE MicroOS Desktop is one of them, with a mini […]

jake

Stenberg: Pre-notification dilemmas

Curl maintainer Daniel Stenberg expresses some frustrations with the vulnerability notification policies maintained by the distros mailing list. The week before we were about to ship the curl 8.0.0 release, I emailed the distros mailing list again like I have done so many times before and told them about the upcoming six(!) vulnerabilities we were about to r […]

corbet

Security updates for Wednesday

Security updates have been issued by Debian (unbound and xorg-server), Fedora (stellarium), Oracle (kernel), SUSE (apache2, oracleasm, python-Werkzeug, rubygem-loofah, sudo, and tomcat), and Ubuntu (git, kernel, and linux-hwe-5.19).

corbet

[$] Ubuntu stops shipping Flatpak by default

Canonical recently announced that it will no longer ship Flatpak as part of its default installation for the various official Ubuntu flavors, which is in keeping with the practices of the core Ubuntu distribution. The Flatpak package format has gained popularity among Linux users for its convenience and ease of use. Canonical will focus exclusively on its ow […]

jake

	Michail στη Ελληνικά ή Αγγλικά;
	adamo στη Ελληνικά ή Αγγλικά;
	Michail στη Ελληνικά ή Αγγλικά;
	Michail στη Ελληνικά ή Αγγλικά;
	cvi going distribute… στη version control for important…
	bilias στη It’s a girl!
	Sotiris Tsimbonis στη It’s a girl!
	kioan στη It’s a girl!
	kzorba στη It’s a girl!
	Sotiris Tsimbonis στη It’s a girl!

Share this:

Μου αρέσει αυτό:

Σχετικά

One Reply to “DNS server πίσω από firewall?”

Σχολιάστε Ακύρωση απάντησης