Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 21 Apr 1999 14:20:40 -0700 (PDT)
From:      Doug White <dwhite@resnet.uoregon.edu>
To:        Scott Brown <skb@asgard.slcc.edu>
Cc:        freebsd-questions@FreeBSD.ORG
Subject:   Re: DNS through a firewall
Message-ID:  <Pine.BSF.4.03.9904211418550.27954-100000@resnet.uoregon.edu>
In-Reply-To: <371DF92D.1C74@asgard.slcc.edu>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, 21 Apr 1999, Scott Brown wrote:

> I've set up a 2.2.5 machine for firewall duty between my LAN and the
> world, using plain old kernel filtering (ipfw).  I'm using the approach
> of denying everything that isn't explicitly allowed.  Everything is
> great, it all works just fine.
> 
> However, I'd like to know more about how DNS works.  Since my firewall
> is also a secondary DNS for our domain, I included in my ruleset the
> three DNS rules from the "simple" rc.firewall section, though I had to
> modify the 2nd and 3rd rules (by replacing "${oip}" with "any") before
> my workstations could do name lookups.
> 
> I'm satisfied for the moment with this setup -- my firewall is less
> about securing my machines than about preventing my users from abusing
> their network access -- but I'd really like to know more about the
> comings and goings of packets during DNS queries, and how named
> communicates with its primary.  I've asked my supervisor to buy the ORA
> grasshopper and doorway books for me, but any tips in the meantime would
> be appreciated.

For DNS, I suggest running named either on the firewall or on an internal
machine and pointing your clients at that.  The cricket book is excellent
for configuring BIND.  2.2.5 uses BIND 4.9.3, but I suggest buying the
book anyway to learn how to configure BIND 8 since all new FreeBSD
releases ship with Bind 8.

DNS packets all travel on port 53, so allow the port for incoming and
outgoing traffic.

Doug White                               
Internet:  dwhite@resnet.uoregon.edu    | FreeBSD: The Power to Serve
http://gladstone.uoregon.edu/~dwhite    | www.freebsd.org



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.03.9904211418550.27954-100000>