[CentOS] Bind Firewall Rules

Paul A razor at meganet.net
Wed Jul 23 16:50:51 UTC 2008

Correct me if I'm wrong but from my understanding doesn't the new BIND
randomize outgoing source ports only? - If so then if you have your firewall
to allow established connections you should be all set.

P.A > -----Original Message-----
P.A > From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On
P.A > Behalf Of John Hinton
P.A > Sent: Wednesday, July 23, 2008 12:41 PM
P.A > To: CentOS mailing list
P.A > Subject: Re: [CentOS] Bind Firewall Rules
P.A > 
P.A > nate wrote:
P.A > > John Hinton wrote:
P.A > >
P.A > >> Do I just ask really hard questions or are my questions just not
P.A > clear?
P.A > >> There has to be others on this list that are running nameservers
P.A > via
P.A > >> CentOS. This seems to be a nasty issue that we who are running bind
P.A > need
P.A > >> to get right.
P.A > >>
P.A > >
P.A > > And the fix is really stupid for those running name servers behind
P.A > firewalls.
P.A > >
P.A > > I can't say I'm an expert on this particular issue but from what
P.A > I've
P.A > > read it seems like the attack depends on being able to send queries
P.A > to
P.A > > the name server in question in order to predict the IDs that the
P.A > system
P.A > > is generating.
P.A > >
P.A > > The way my DNS is setup at home is that I have 2 "external" name
P.A > servers
P.A > > that do not allow recursion for domains that they are not
P.A > responsible
P.A > > for other than for a couple trusted IPs(all of which are local). My
P.A > > main caching name server is internal to my network and cannot be
P.A > directly
P.A > > queried from the internet. As such I think my exposure is pretty
P.A > low.
P.A > > All of my name servers are setup to force their source port to be
P.A > 53,
P.A > > I really really don't like the idea of opening up tens of thousands
P.A > of
P.A > > ports back to my name servers.
P.A > >
P.A > > So I suspect, if your caching name servers are only vulnerable if
P.A > they
P.A > > can be sent queries from the attacker. If your internal network is
P.A > > trusted then I think your fairly safe as long as you don't allow
P.A > > access to the caching name servers externally. And of course run
P.A > > dedicated name servers for authoritative hosting.
P.A > >
P.A > > I plan to have a similar setup at my company, the external
P.A > authoritative
P.A > > servers are not behind a firewall(F5 Global traffic managers), the
P.A > > internal ones are not accessible outside the network. DNS cache
P.A > > poisoning is the least of my worries if an attacker has access to
P.A > the
P.A > > internal network.
P.A > >
P.A > > nate
P.A > >
P.A > >
P.A > I'm running caching nameservers on almost all of my systems and then
P.A > also three nameservers. All are available publicly. I too had hard
P.A > coded
P.A > bind to port 53. I also had specifically opened port 53 through the
P.A > firewall. But now, it appears that using only port 53 is a bad thing.
P.A >  From what I read, both the port and the ID need to change to be
P.A > secure
P.A > (even this is just security through obscurity). It's sounding like
P.A > I'll
P.A > need to open a port range, but I don't know what a 'good practice'
P.A > will be.
P.A > 
P.A > I read through the redhat notes, googled and read all over the place.
P.A > All I seem to find is to remove the named.conf line that forces bind
P.A > through port 53 and then statements like 'your firewall will need to
P.A > be
P.A > adjusted accordingly', with no good suggestions for how to do this.
P.A > 
P.A > So, I'm faced with turning off the firewall to show good external
P.A > testing on bind.... sort of like unlocking every window and door to a
P.A > house, in order try to keep someone from trying to open just one.
P.A > 
P.A > John Hinton
P.A > _______________________________________________
P.A > CentOS mailing list
P.A > CentOS at centos.org
P.A > http://lists.centos.org/mailman/listinfo/centos

More information about the CentOS mailing list