In message <1200b563-8a00-4c0a-822d-85733143f...@mac.com>, Chuck Swiger writes
:
> On Mar 15, 2011, at 11:08 AM, Martin McCormick wrote:
> > Is there a recommended set of firewall rules that insure that all
> > necessary DNS traffic can enter and leave, even the larger
> > packets that result from dns-sec?
>
>
> # allow UDP DNS queries out to the world, and in to your nameservers
> ## It's faster to do this stateless, and reduces DoS risk against the firewa
> ll,
> ## but you are exposing your network to UDP port scans from source port 53
> ## (if you have other open UDP ports). If you want to be stateful, switch t
> o:
> ## add pass udp from any to $NAMESERVER_IP 53 keep-state
> ## add pass udp from $YOURNET to any 53 keep-state
>
> add pass udp from any to $NAMESERVER_IP 53
> add pass udp from $NAMESERVER_IP 53 to any
> add pass udp from $YOURNET 53,1024-65535 to any 53
> add pass udp from any 53 to $YOURNET 53,1024-65535
>
> # allow TCP DNS outbound and inbound only to nameserver boxes
> ## Likewise, you can add keep-state if you want to be stateful;
> ## in which case the established line can be removed.
> add pass tcp from any to any established
> add pass tcp from $YOURNET to any 53 setup
> add pass tcp from any to $NAMESERVER_IP 53 setup
>
> ------
>
> For something like a Cisco PIX/ASA, you probably want "no fixup protocol dns
> " to avoid breaking EDNS, but "fixup protocol dns maximum-length 4096" might
> be a workable alternative.
You also want to pass UDP fragments.
e.g.
ipfw:
add pass udp from any to any frag
ipf:
pass in quick proto udp from any to any with frag keep frag
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
