From owner-freebsd-questions Wed Apr 21 14:23:32 1999 Delivered-To: freebsd-questions@freebsd.org Received: from resnet.uoregon.edu (resnet.uoregon.edu [128.223.144.32]) by hub.freebsd.org (Postfix) with ESMTP id CF50015911 for ; Wed, 21 Apr 1999 14:23:25 -0700 (PDT) (envelope-from dwhite@resnet.uoregon.edu) Received: from localhost (dwhite@localhost) by resnet.uoregon.edu (8.8.8/8.8.8) with ESMTP id OAA17431; Wed, 21 Apr 1999 14:20:41 -0700 (PDT) (envelope-from dwhite@resnet.uoregon.edu) Date: Wed, 21 Apr 1999 14:20:40 -0700 (PDT) From: Doug White To: Scott Brown Cc: freebsd-questions@FreeBSD.ORG Subject: Re: DNS through a firewall In-Reply-To: <371DF92D.1C74@asgard.slcc.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, 21 Apr 1999, Scott Brown wrote: > I've set up a 2.2.5 machine for firewall duty between my LAN and the > world, using plain old kernel filtering (ipfw). I'm using the approach > of denying everything that isn't explicitly allowed. Everything is > great, it all works just fine. > > However, I'd like to know more about how DNS works. Since my firewall > is also a secondary DNS for our domain, I included in my ruleset the > three DNS rules from the "simple" rc.firewall section, though I had to > modify the 2nd and 3rd rules (by replacing "${oip}" with "any") before > my workstations could do name lookups. > > I'm satisfied for the moment with this setup -- my firewall is less > about securing my machines than about preventing my users from abusing > their network access -- but I'd really like to know more about the > comings and goings of packets during DNS queries, and how named > communicates with its primary. I've asked my supervisor to buy the ORA > grasshopper and doorway books for me, but any tips in the meantime would > be appreciated. For DNS, I suggest running named either on the firewall or on an internal machine and pointing your clients at that. The cricket book is excellent for configuring BIND. 2.2.5 uses BIND 4.9.3, but I suggest buying the book anyway to learn how to configure BIND 8 since all new FreeBSD releases ship with Bind 8. DNS packets all travel on port 53, so allow the port for incoming and outgoing traffic. Doug White Internet: dwhite@resnet.uoregon.edu | FreeBSD: The Power to Serve http://gladstone.uoregon.edu/~dwhite | www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message