[CentOS] Bind Firewall Rules
webmaster at ew3d.com
Wed Jul 23 15:01:58 UTC 2008
John Hinton wrote:
> Johnny Hughes wrote:
>> John Hinton wrote:
>>> OK, so does anybody have a good firewall rule solution for what
>>> we're supposed to be doing with bind these days? Obviously port 53
>>> is no longer enough.
>> how do you mean?
>> opening port 53 in is still enough ... the outbound port is what is
>> not sure what kind of problems you are encountering
> I'm trying to pass the test on DNSstuff.com.
> These are my firewall rules for bind
> Accept If protocol is TCP and destination port is 53 and state of
> connection is NEW
> Accept If protocol is UDP and destination port is 53 and state of
> connection is NEW
> from my gui or
> -A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 53 --state NEW -j
> -A RH-Firewall-1-INPUT -p udp -m udp -m state --dport 53 --state NEW -j
> from iptables.
> I have upgraded bind, but when I remove this line from a config file,
> bind will not restart.
> query-source address * port 53;
> From what I read, the above line is supposed to be removed. My tests
> from outside states that I am vulnerable to cache injections.
> "*Based on the results, a DNS server is vulnerable if:*
> The IPs /AND/ the Query source ports match or the query IDs match.
> Matching query source ports or query IDs make it easier to spoof fake
> results to the DNS server, poisoning its cache."
> The IDs in the testing change, but the port stays the same.
> I read where the firewall rules need to be fixed due to this change, but
> firewalls have never been my strong point. I have a pretty darned good
> understanding of bind..... but firewalls, not so much.
Do I just ask really hard questions or are my questions just not clear?
There has to be others on this list that are running nameservers via
CentOS. This seems to be a nasty issue that we who are running bind need
to get right.
More information about the CentOS