From owner-freebsd-security Thu Dec 31 07:16:12 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA09268 for freebsd-security-outgoing; Thu, 31 Dec 1998 07:16:12 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from obie.softweyr.com ([204.68.178.33]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA09260 for ; Thu, 31 Dec 1998 07:16:10 -0800 (PST) (envelope-from wes@softweyr.com) Received: from softweyr.com (zaphod.softweyr.com [204.68.178.35]) by obie.softweyr.com (8.8.8/8.8.8) with ESMTP id IAA07700; Thu, 31 Dec 1998 08:15:08 -0700 (MST) (envelope-from wes@softweyr.com) Message-ID: <368B94FC.61C6391E@softweyr.com> Date: Thu, 31 Dec 1998 08:15:08 -0700 From: Wes =?iso-8859-1?Q?Peters=D4?==?iso-8859-1?Q?=40=21=EA?= =?iso-8859-1?Q?=80?==?iso-8859-1?Q?=EA?==?iso-8859-1?Q?=80=DD=E7?= =?iso-8859-1?Q?=805=EA?==?iso-8859-1?Q?=C0?==?iso-8859-1?Q?=EA?= Organization: Softweyr llc X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.0-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: "Joseph T. Lee" CC: Dean , Mike Holling , freebsd-security@FreeBSD.ORG Subject: Re: ipfw and DNS References: <368AF355.F8AA6397@thegrid.net> <19981231022419.A13483@la.best.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Joseph T. Lee" wrote: > > On Wed, Dec 30, 1998 at 07:45:25PM -0800, Dean wrote: > > Mike Holling wrote: > > > > > I have the same question you do about DNS. One of my clients is using a > > > machine to IP masquerade his LAN onto the Internet via DSL link. His > > > provider believes they will be able to successfully keep people from > > > "running servers" by monitoring traffic and probing connected machines. > > > Thus, they state that if they detect a DNS server running on his machine > > > they will charge him $500/mo extra. Right now the machine is running a > > > local caching server for the LAN, and I can't think of any good way to > > > keep external machines from querying it while still allowing responses > > > from other DNS servers back in. Please let me know if you get any good > > > answers. > > This is easy. I've done this because somebody was pinging my IP for > DNS queries for a while when I didn't authorize nor advertise it. > > You can either authorize only a certain group of IPs to access the DNS > server, as supported by DNS through the Bind 8 equavalent syntax of > allow-query-by, If you're running FreeBSD 3.0, it looks like the following syntax might work: options { directory "/var/named"; allow-query { localnets; !any; }; ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ }; Be warned: I haven't tried this. My DNS server is still running 2.2.7, and is only a secondary for my domain. The primary is on Solaris, somewhere off in ISP land. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message