[CentOS] Bind Firewall Rules

nate centos at linuxpowered.net
Wed Jul 23 17:07:53 UTC 2008

Paul A wrote:
> Correct me if I'm wrong but from my understanding doesn't the new BIND
> randomize outgoing source ports only? - If so then if you have your firewall
> to allow established connections you should be all set.

That's a good point, just tested it out on my firewall, removed
the port 53 option from named.conf and restarted bind and can
still query it internally and externally for it's authoritative domains.

Perhaps my firewall is just less strict than it used to be(migrated
from freebsd to openbsd about a year ago). I don't recall what the
ruleset used to look like. I do recall having to enable that option
years ago else I couldn't query through the firewall.

Still I think caching name servers should be more protected whenever
possible, as this "fix" isn't really a fix it just makes it a bit harder
to determine what the id is.


More information about the CentOS mailing list