From owner-freebsd-security Thu Dec 31 02:25:37 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA15582 for freebsd-security-outgoing; Thu, 31 Dec 1998 02:25:37 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell2.la.best.com (shell2.la.best.com [209.24.216.141]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA15577 for ; Thu, 31 Dec 1998 02:25:36 -0800 (PST) (envelope-from nugundam@shell2.la.best.com) Received: (from nugundam@localhost) by shell2.la.best.com (8.9.1/8.9.0/best.sh) id CAA13880; Thu, 31 Dec 1998 02:24:19 -0800 (PST) Message-ID: <19981231022419.A13483@la.best.com> Date: Thu, 31 Dec 1998 02:24:19 -0800 From: "Joseph T. Lee" To: Dean , Mike Holling , freebsd-security@FreeBSD.ORG Subject: Re: ipfw and DNS References: <368AF355.F8AA6397@thegrid.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <368AF355.F8AA6397@thegrid.net>; from Dean on Wed, Dec 30, 1998 at 07:45:25PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Dec 30, 1998 at 07:45:25PM -0800, Dean wrote: > Mike Holling wrote: > > > I have the same question you do about DNS. One of my clients is using a > > machine to IP masquerade his LAN onto the Internet via DSL link. His > > provider believes they will be able to successfully keep people from > > "running servers" by monitoring traffic and probing connected machines. > > Thus, they state that if they detect a DNS server running on his machine > > they will charge him $500/mo extra. Right now the machine is running a > > local caching server for the LAN, and I can't think of any good way to > > keep external machines from querying it while still allowing responses > > from other DNS servers back in. Please let me know if you get any good > > answers. This is easy. I've done this because somebody was pinging my IP for DNS queries for a while when I didn't authorize nor advertise it. You can either authorize only a certain group of IPs to access the DNS server, as supported by DNS through the Bind 8 equavalent syntax of allow-query-by, OR using ipfw rules, allow any query packet in on 53, but do not return replies out if the incoming packet comes from a certain range of IPs OR using an ipfw rule, drop/reject incoming packets from a certain range of IPs. I don't know if it's legal for the ISP to monitor traffic as so, or banning DNS servers, since it shouldn't really matter if somebody runs their own DNS server for local caching only. It's like chasing butterflies while the buffalos rampage through the garden with quake servers and such.. Anyways, them ipfw rules can be setup in advance of setting up a DNS server to log how the ISP is probing his port 53, and set up counter rules against it, maybe even send malicious icmp packets back. Have fun, -- Joseph nugundam =best=com==/==\=IIGS=/==\=Playstation=/==\=Civic HX CVT=/==\ # Anime Expo 1998 >> www.anime-expo.org/ > # Redline Games >> www.redlinegames.com/ > # Cal-Animage Epsilon >> www.best.com/~nugundam/epsilon/ > # EX: The Online World of Anime & Manga >> www.ex.org/ / To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message