Depending on your firewall policy you can tweak the query-source parameter in
named.conf to use the newer BIND 8.x behaviour of port allocation, or revert
back to the way 4.x used to do it.
"man named.conf" explains the use of query-source.
Regards,
Chris.
Lance Ecklesdafer wrote:
> Not to state the obvious but for the benefit of all, I use two DNS servers
> as Tony suggested.. One DNS is behind the firewall and is used by internal
> workstations and servers. The other DNS is outside the firewall and on the
> DMZ. These two DNS servers DO NOT exchange zone information with each other.
> The ONLY records on the outside DNS are the ones necessary for communication
> to hosts available externally to the company. That way there is no chance of
> learning the internal network infrastructure by compromising the outside
> DNS. I realize that this results in a larger administrative overhead and a
> slightly higher cost, but it really is not that much when you consider what
> kind of security it gives you to leave the outside queries .. outside the
> firewall. As Tony points out, if you compromise the external server, you
> still have to get through the firewall.
>
> Lance
>
> ----- Original Message -----
> From: "Tony Rall" <[EMAIL PROTECTED]>
> To: "Edward Ingram" <[EMAIL PROTECTED]>
> Cc: <[EMAIL PROTECTED]>
> Sent: Thursday, April 12, 2001 9:12 PM
> Subject: Re: Which port(s) to allow through for DNS server
>
> >
> > Have you looked at your firewall logs to see what might be getting
> blocked?
> >
> > To fully support dns you should allow both 53/udp and 53/tcp into your
> > nameserver. (Please, list, let's not argue once again about the need for
> > tcp - it's required by the RFCs and some things break if you don't allow
> > it.)
> >
> > And, of course, you must allow the response traffic back out - source port
> > 53 on your nameserver, any destination port.
> >
> > You should be aware that running a nameserver this way (inside the
> > firewall, but allowing queries from the Internet) exposes your internal
> > network more than most of us would accept. It was just a few weeks ago
> > that a bind daemon compromise was found for most then extant versions.
> > Better security is obtained by running a separate nameserver on your dmz
> > (outside your main firewall). Yes, such a server is still exposed, but if
> > it's compromised the attacker still has to get through the firewall to
> > feast on your internal network.
> >
> > Tony Rall
> >
> >
> > "Edward Ingram" <[EMAIL PROTECTED]>@Lists.GNAC.NET on 2001-04-12
> > 17:42:03
> > I have a DNS server inside our firewall. People outside the firewall
> > (Universe) need to access this DNS server to resolve requests. I've tried
> > opening up UDP 53 on the firewall, but requests still aren't going
> through.
> > I know the DNS server is working because it fulfills requests sent to it
> > from clients on the inside of the firewall. Is that the right port to
> use?
> >
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
