Date: Mon, 23 Aug 1999 22:37:37 +0200 From: sthaug@nethelp.no To: nate@mt.sri.com Cc: freebsd@gndrsh.dnsmgr.net, freebsd-security@FreeBSD.ORG Subject: Re: IPFW/DNS rules Message-ID: <99207.935440657@verdi.nethelp.no> In-Reply-To: Your message of "Mon, 23 Aug 1999 14:24:01 -0600" References: <199908232024.OAA01685@mt.sri.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> > Not a whole lot you can do here, other than keep on top of the latest > > versions of bind from ISC. > > *sigh* Guess Bind is really in the same category as sendmail then. > Unfortunately, BIND has it's hooks all over the system, including the C > library. Can I just install the named and not worry about anything > else, leaving the system the same? The box in question is running > 2.2.8, and I *really* don't want to upgrade it if I can avoid it. You can install 8.2.1 just fine on a 2.2.8 box. It's a good idea to get 8.2.1 (or newer - 8.2.2 is now in public beta test) because of security fixes. For one thing, 8.2 and newer lets you randomize query id's - 8.1.2 doesn't. > > Second since xfers are done via TCP setup rules to allow only your secondaries > > to ``setup'' connections to your primary, and allow your server to > > ``setup'' connections to the servers it secondaries for. > > Can I setup firewall rules for this as well? Do normal queries require > TCP connections? I'd like to be able to 'shutoff' TCP access to the box > except from my secondaries if at all possible. That would be a pretty bad idea in general: - A resolver is *allowed* to use TCP for DNS queries. - The RFC specifies that a resolver *should* retry using TCP if a UDP answer is too big (and thus gets the TC, Truncated, bit set). Of course, a for primary which is behind a firewall, and only supposed to be accessed from the secondaries, the situation is different. For general DNS info, try http://www.dns.net/dnsrd/. The best book is the O'Reilly "DNS and BIND" book by Albitz and Liu. Make sure you get the newest edition. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?99207.935440657>