Date: Mon, 23 Aug 1999 13:12:55 -0700 (PDT) From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> To: nate@mt.sri.com (Nate Williams) Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPFW/DNS rules Message-ID: <199908232012.NAA36075@gndrsh.dnsmgr.net> In-Reply-To: <199908231935.NAA01122@mt.sri.com> from Nate Williams at "Aug 23, 1999 01:35:21 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> I have a public DNS server that I need people to be able to query, but
> is there anything I can do to avoid anyone doing anything 'nasty' to it.
Not a whole lot you can do here, other than keep on top of the latest
versions of bind from ISC.
>
> Also, I need to open up access to it to those hosts that secondary me,
> as well as those I secondary for.
That one is easy, 2 things to do. First, list those who are secondaries
for zones on this box in the named.conf options {allow_transfer{ip list}};
Second since xfers are done via TCP setup rules to allow only your secondaries
to ``setup'' connections to your primary, and allow your server to
``setup'' connections to the servers it secondaries for. You should
use an option {query-source address X port 53;}; to make this easier.
Here is a sample snip from named.conf:
options {
directory "/etc/namedb";
listen-on port 53 { 127.0.0.1; A.B.C.D; };
query-source address A.B.C.D port 53;
allow_transfer { OUTSIDEIP; };
};
> (I also want to make sure that none of my internal hosts 'leak' DNS
> stuff, but that they also all go through the DNS server in order to find
> hosts...)
>
> I've got some rules in place, but if someone has gotten DNS firewall
> rules I'd be grateful to see them.
These rules only log things, they are not meant to stop things, all logs
are carefully investigated (IP's blacked out to protect the parties and
myself, A.B.C.D is the inside DNS, W.X.Y.Z is the outside DNS, the other
400 rules that don't deal with DNS blacked out as well :-)):
ipfw add 10000 allow tcp from any to any established
ipfw add 10530 allow tcp from A.B.C.D to W.X.Y.Z 53 setup
ipfw add 10539 allow log tcp from any to any 53
ipfw add 40530 allow udp from any to A.B.C.D 53
ipfw add 40530 allow udp from A.B.C.D 53 to any
ipfw add 40539 allow log udp from any to any 53
ipfw add 40539 allow log udp from any 53 to any
To make this work for you change ``allow log'' to ``deny'' or ``deny log''.
Also the above rules don't include the inside DNS doing zone transfers
from outside DNS boxes. Add another 10530 rule:
ipfw add 10530 allow tcp from OUTSIDE to INSIDE 53 setup
Hope that helps...
--
Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199908232012.NAA36075>