[CentOS] Bind Firewall Rules

Wed Jul 23 17:57:39 UTC 2008
Dan Carl <danc at bluestarshows.com>


> -----Original Message-----
> From: centos-bounces at centos.org [mailto:centos-bounces at centos.org]On
> Behalf Of Scott Mazur
> Sent: Wednesday, July 23, 2008 12:19 PM
> To: CentOS mailing list
> Subject: Re: [CentOS] Bind Firewall Rules
>
>
> On Wed, 23 Jul 2008 12:40:42 -0400, John Hinton wrote
> > I'm running caching nameservers on almost all of my systems and then
> > also three nameservers. All are available publicly. I too had hard
> > coded bind to port 53. I also had specifically opened port 53
> > through the firewall. But now, it appears that using only port 53 is
> > a bad thing.  From what I read, both the port and the ID need to
> > change to be secure
> > (even this is just security through obscurity). It's sounding like
> > I'll need to open a port range, but I don't know what a 'good
> > practice' will be.
>
> Port 53 is the dns port used by the world (and your internal
> private networks)
> to query your name server.  If your name server is intended to
> provide domain
> resolution publicly just how do you expect the public to find it if you're
> randomly changing ports?  The world won't port scan your machine until it
> finds a name server answering on one of them.  Dns requests, internal or
> external, will come into your box on port 53 and there would be
> no point to
> running a name server (private, public, caching or otherwise) if
> this port is
> not open through the firewall.
>
> You've mis-understood the issues of dns security.  It would be
> dangerous to
> start messing with your firewall rules until you understand
> exactly how the
> process works.

I've understood bind to work this way also.
I haven't read up on this vulnerability but can't you just restrict who
queries the server?
http://oreilly.com/catalog/dns4/chapter/ch11.html#10959
Maybe dnsstuff is saying your server is vulnerable because of something
else.
I haven't used them since they starter charging but mine always passed.
Do you have an allow-recursion line?
Have you changed version to sonething like this?
version "[SECURED]";

I only have my master and slave servers exposed to the outside.
My caching and internal DNS is done behind my firewall.
I would agree that taking down your firewall is way more dangerous.
My firewall rules are based on the howto but try this.

$IPTABLES -N allowed
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets

$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 53 -j allowed

$IPTABLES -A udp_packets -p UDP -s 0/0 --dport 53 -j ACCEPT









 _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>