From owner-freebsd-security Thu Feb 22 11: 7:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from h-209-91-79-2.gen.cadvision.com (h24-68-202-204.cg.shawcable.net [24.68.202.204]) by hub.freebsd.org (Postfix) with ESMTP id DDA7B37B491 for ; Thu, 22 Feb 2001 11:07:13 -0800 (PST) (envelope-from gtf@cirp.org) Received: from cirp.org (localhost [127.0.0.1]) by h-209-91-79-2.gen.cadvision.com (8.9.3/8.9.3) with ESMTP id MAA57960; Thu, 22 Feb 2001 12:07:02 -0700 (MST) (envelope-from gtf@cirp.org) Message-Id: <200102221907.MAA57960@h-209-91-79-2.gen.cadvision.com> Date: Thu, 22 Feb 2001 12:07:01 -0700 (MST) From: "Geoffrey T. Falk" Subject: Re: Best way for one-way DNS traffic To: "H. Wade Minter" Cc: freebsd-security@FreeBSD.ORG In-Reply-To: MIME-Version: 1.0 Content-Type: TEXT/plain; CHARSET=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 22 Feb, H. Wade Minter wrote: > My gateway box is running a name server for my home network. Internal > clients point to the gateway box for DNS service, and the gateway goes out > and resolves DNS queries. > > I've also got an ipfw firewall on the gateway. What I'd like to do is > make it so internal DNS works like it should, but nobody on the outside > should be able to connect to port 53.sadm@unired.net.pe Set up your DNS as a forwarder to your upstream provider's nameserver. Block all inbound traffic on UDP port 53, except from your ISP's nameserver. Set up your local zone files also. This still leaves you open to DoS from someone forging your upstream provider's IP address. But by blocking source routed packets you can ensure that nobody else can query your nameserver. g. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message