[CentOS] Bind Firewall Rules

Scott Mazur centos at littlefish.ca
Wed Jul 23 17:19:00 UTC 2008

On Wed, 23 Jul 2008 12:40:42 -0400, John Hinton wrote
> I'm running caching nameservers on almost all of my systems and then 
> also three nameservers. All are available publicly. I too had hard 
> coded bind to port 53. I also had specifically opened port 53 
> through the firewall. But now, it appears that using only port 53 is 
> a bad thing.  From what I read, both the port and the ID need to 
> change to be secure 
> (even this is just security through obscurity). It's sounding like 
> I'll need to open a port range, but I don't know what a 'good 
> practice' will be.

Port 53 is the dns port used by the world (and your internal private networks)
to query your name server.  If your name server is intended to provide domain
resolution publicly just how do you expect the public to find it if you're
randomly changing ports?  The world won't port scan your machine until it
finds a name server answering on one of them.  Dns requests, internal or
external, will come into your box on port 53 and there would be no point to
running a name server (private, public, caching or otherwise) if this port is
not open through the firewall.

You've mis-understood the issues of dns security.  It would be dangerous to
start messing with your firewall rules until you understand exactly how the
process works.

More information about the CentOS mailing list