Date: Thu, 22 Feb 2001 12:07:01 -0700 (MST) From: "Geoffrey T. Falk" <gtf@cirp.org> To: "H. Wade Minter" <minter@lunenburg.org> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Best way for one-way DNS traffic Message-ID: <200102221907.MAA57960@h-209-91-79-2.gen.cadvision.com> In-Reply-To: <Pine.BSF.4.33.0102212230430.57938-100000@ashburn.skiltech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 22 Feb, H. Wade Minter wrote: > My gateway box is running a name server for my home network. Internal > clients point to the gateway box for DNS service, and the gateway goes out > and resolves DNS queries. > > I've also got an ipfw firewall on the gateway. What I'd like to do is > make it so internal DNS works like it should, but nobody on the outside > should be able to connect to port 53.sadm@unired.net.pe Set up your DNS as a forwarder to your upstream provider's nameserver. Block all inbound traffic on UDP port 53, except from your ISP's nameserver. Set up your local zone files also. This still leaves you open to DoS from someone forging your upstream provider's IP address. But by blocking source routed packets you can ensure that nobody else can query your nameserver. g. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200102221907.MAA57960>