Date: Mon, 19 Jun 2000 14:03:48 +0100 From: Matt Spiers <matt@pavilion.net> To: Andy Dills <andy@xecu.net> Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Hijacking DNS with ipfw Message-ID: <20000619140348.M79276@pavilion.net> In-Reply-To: <Pine.GSO.4.21.0006091900050.21767-100000@shell.xecu.net>; from andy@xecu.net on Fri, Jun 09, 2000 at 07:01:00PM -0400 References: <Pine.GSO.4.21.0006091900050.21767-100000@shell.xecu.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> I'm in a situation where I have customers with various DNS servers > configured. These customers are all behind a FreeBSD (4.0-R) box. The > FreeBSD box is running named (among other things). > > I had thought that this rule would cut it: > > ipfw add 10 fwd 127.0.0.1,53 udp from any to any 53 recv xl1 > > But that just doesn't work. I'm assuming it's because maybe named gets > confused because fwd rules preserve the dest IP (as fwd rules are intended > to be used in transparent cacheing). > Don't know if this is the answer and if it's been mentioned: Are you using higher than BIND 4? BIND 4 always sends queries from port 53 but BIND 8 name servers don't send queries from port 53 as default. To force it you can add: options { query-source * port 53;}; From the O'Reilly DNS&BIND book,3rd ed., p.381 Good luck, Matt. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000619140348.M79276>