On Wed, 23 Jul 2008 12:40:42 -0400, John Hinton wrote
I'm running caching nameservers on almost all of my systems and then also three nameservers. All are available publicly. I too had hard coded bind to port 53. I also had specifically opened port 53 through the firewall. But now, it appears that using only port 53 is a bad thing. From what I read, both the port and the ID need to change to be secure (even this is just security through obscurity). It's sounding like I'll need to open a port range, but I don't know what a 'good practice' will be.
Port 53 is the dns port used by the world (and your internal private networks) to query your name server. If your name server is intended to provide domain resolution publicly just how do you expect the public to find it if you're randomly changing ports? The world won't port scan your machine until it finds a name server answering on one of them. Dns requests, internal or external, will come into your box on port 53 and there would be no point to running a name server (private, public, caching or otherwise) if this port is not open through the firewall.
You've mis-understood the issues of dns security. It would be dangerous to start messing with your firewall rules until you understand exactly how the process works.
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org]On Behalf Of Scott Mazur Sent: Wednesday, July 23, 2008 12:19 PM To: CentOS mailing list Subject: Re: [CentOS] Bind Firewall Rules
On Wed, 23 Jul 2008 12:40:42 -0400, John Hinton wrote
I'm running caching nameservers on almost all of my systems and then also three nameservers. All are available publicly. I too had hard coded bind to port 53. I also had specifically opened port 53 through the firewall. But now, it appears that using only port 53 is a bad thing. From what I read, both the port and the ID need to change to be secure (even this is just security through obscurity). It's sounding like I'll need to open a port range, but I don't know what a 'good practice' will be.
Port 53 is the dns port used by the world (and your internal private networks) to query your name server. If your name server is intended to provide domain resolution publicly just how do you expect the public to find it if you're randomly changing ports? The world won't port scan your machine until it finds a name server answering on one of them. Dns requests, internal or external, will come into your box on port 53 and there would be no point to running a name server (private, public, caching or otherwise) if this port is not open through the firewall.
You've mis-understood the issues of dns security. It would be dangerous to start messing with your firewall rules until you understand exactly how the process works.
I've understood bind to work this way also. I haven't read up on this vulnerability but can't you just restrict who queries the server? http://oreilly.com/catalog/dns4/chapter/ch11.html#10959 Maybe dnsstuff is saying your server is vulnerable because of something else. I haven't used them since they starter charging but mine always passed. Do you have an allow-recursion line? Have you changed version to sonething like this? version "[SECURED]";
I only have my master and slave servers exposed to the outside. My caching and internal DNS is done behind my firewall. I would agree that taking down your firewall is way more dangerous. My firewall rules are based on the howto but try this.
$IPTABLES -N allowed $IPTABLES -N tcp_packets $IPTABLES -N udp_packets
$IPTABLES -A allowed -p TCP --syn -j ACCEPT $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A allowed -p TCP -j DROP
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 53 -j allowed
$IPTABLES -A udp_packets -p UDP -s 0/0 --dport 53 -j ACCEPT
_______________________________________________
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
Dan Carl -
Scott Mazur