From owner-freebsd-security  Thu Feb 22 11:22:53 2001
Delivered-To: freebsd-security@freebsd.org
Received: from nol.co.za (nol.co.za [196.33.45.2])
	by hub.freebsd.org (Postfix) with ESMTP id CD93637B401
	for <freebsd-security@freebsd.org>; Thu, 22 Feb 2001 11:22:44 -0800 (PST)
	(envelope-from security@nol.co.za)
Received: from cafe2.sz.co.za ([196.33.45.155] helo=cafe2.nol.co.za)
	by nol.co.za with esmtp (Exim 3.13 #1)
	id 14W1J6-0007dZ-00; Thu, 22 Feb 2001 21:21:40 +0200
Message-Id: <4.3.2.7.2.20010222211944.00b41350@nol.co.za>
X-Sender: security@nol.co.za
X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
Date: Thu, 22 Feb 2001 21:23:26 +0200
To: "Geoffrey T. Falk" <gtf@cirp.org>
From: "Timothy S. Bowers" <security@nol.co.za>
Subject: Re: Best way for one-way DNS traffic
Cc: freebsd-security@FreeBSD.ORG
In-Reply-To: <200102221907.MAA57960@h-209-91-79-2.gen.cadvision.com>
References: <Pine.BSF.4.33.0102212230430.57938-100000@ashburn.skiltech.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

 >"Set up your DNS as a forwarder to your upstream provider's nameserver."

Lets say 196.25.1.1 was your upstream provider would you configure it like 
this:

       forwarders {
                 196.25.1.1;
         };

..and I guess if you are hosting reverse IP lookup entries and other domain 
names you can't do this can you ?

At 12:07 PM 2/22/01 -0700, Geoffrey T. Falk wrote:
>On 22 Feb, H. Wade Minter wrote:
> > My gateway box is running a name server for my home network.  Internal
> > clients point to the gateway box for DNS service, and the gateway goes out
> > and resolves DNS queries.
> >
> > I've also got an ipfw firewall on the gateway.  What I'd like to do is
> > make it so internal DNS works like it should, but nobody on the outside
> > should be able to connect to port 53.sadm@unired.net.pe
>
>
>Set up your DNS as a forwarder to your upstream provider's nameserver.
>Block all inbound traffic on UDP port 53, except from your ISP's
>nameserver. Set up your local zone files also.
>
>This still leaves you open to DoS from someone forging your upstream
>provider's IP address. But by blocking source routed packets you can
>ensure that nobody else can query your nameserver.
>
>g.
>
>
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message