Date: Mon, 19 Jun 2000 14:03:48 +0100 From: Matt Spiers <matt@pavilion.net> To: Andy Dills <andy@xecu.net> Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Hijacking DNS with ipfw Message-ID: <20000619140348.M79276@pavilion.net> In-Reply-To: <Pine.GSO.4.21.0006091900050.21767-100000@shell.xecu.net>; from andy@xecu.net on Fri, Jun 09, 2000 at 07:01:00PM -0400 References: <Pine.GSO.4.21.0006091900050.21767-100000@shell.xecu.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> I'm in a situation where I have customers with various DNS servers
> configured. These customers are all behind a FreeBSD (4.0-R) box. The
> FreeBSD box is running named (among other things).
>
> I had thought that this rule would cut it:
>
> ipfw add 10 fwd 127.0.0.1,53 udp from any to any 53 recv xl1
>
> But that just doesn't work. I'm assuming it's because maybe named gets
> confused because fwd rules preserve the dest IP (as fwd rules are intended
> to be used in transparent cacheing).
>
Don't know if this is the answer and if it's been mentioned:
Are you using higher than BIND 4? BIND 4 always sends queries
from port 53 but BIND 8 name servers don't send queries from port 53
as default. To force it you can add:
options { query-source * port 53;};
From the O'Reilly DNS&BIND book,3rd ed., p.381
Good luck,
Matt.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000619140348.M79276>