Date: Thu, 22 Feb 2001 21:23:26 +0200 From: "Timothy S. Bowers" <security@nol.co.za> To: "Geoffrey T. Falk" <gtf@cirp.org> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Best way for one-way DNS traffic Message-ID: <4.3.2.7.2.20010222211944.00b41350@nol.co.za> In-Reply-To: <200102221907.MAA57960@h-209-91-79-2.gen.cadvision.com> References: <Pine.BSF.4.33.0102212230430.57938-100000@ashburn.skiltech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>"Set up your DNS as a forwarder to your upstream provider's nameserver."
Lets say 196.25.1.1 was your upstream provider would you configure it like
this:
forwarders {
196.25.1.1;
};
..and I guess if you are hosting reverse IP lookup entries and other domain
names you can't do this can you ?
At 12:07 PM 2/22/01 -0700, Geoffrey T. Falk wrote:
>On 22 Feb, H. Wade Minter wrote:
> > My gateway box is running a name server for my home network. Internal
> > clients point to the gateway box for DNS service, and the gateway goes out
> > and resolves DNS queries.
> >
> > I've also got an ipfw firewall on the gateway. What I'd like to do is
> > make it so internal DNS works like it should, but nobody on the outside
> > should be able to connect to port 53.sadm@unired.net.pe
>
>
>Set up your DNS as a forwarder to your upstream provider's nameserver.
>Block all inbound traffic on UDP port 53, except from your ISP's
>nameserver. Set up your local zone files also.
>
>This still leaves you open to DoS from someone forging your upstream
>provider's IP address. But by blocking source routed packets you can
>ensure that nobody else can query your nameserver.
>
>g.
>
>
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.2.7.2.20010222211944.00b41350>