On Mon, Jul 21, 2008 at 6:37 AM, John Hinton <webmaster at ew3d.com> wrote: > Johnny Hughes wrote: >> >> John Hinton wrote: >>> >>> OK, so does anybody have a good firewall rule solution for what we're >>> supposed to be doing with bind these days? Obviously port 53 is no longer >>> enough. >>> >> >> how do you mean? >> >> opening port 53 in is still enough ... the outbound port is what is >> randomized >> >> not sure what kind of problems you are encountering > > I'm trying to pass the test on DNSstuff.com. > > These are my firewall rules for bind > > Accept If protocol is TCP and destination port is 53 and state of > connection is NEW > Accept If protocol is UDP and destination port is 53 and state of > connection is NEW > > from my gui or > > -A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 53 --state NEW -j > ACCEPT > -A RH-Firewall-1-INPUT -p udp -m udp -m state --dport 53 --state NEW -j > ACCEPT > > from iptables. > > I have upgraded bind, but when I remove this line from a config file, > bind will not restart. > > query-source address * port 53; > > From what I read, the above line is supposed to be removed. My tests > from outside states that I am vulnerable to cache injections. > I don't think your problem is with your firewall.. its with something in the bind configs that is causieng bind not to work without the query-source line. What errors are you seeing? > "*Based on the results, a DNS server is vulnerable if:* > The IPs /AND/ the Query source ports match or the query IDs match. > Matching query source ports or query IDs make it easier to spoof fake > results to the DNS server, poisoning its cache." > -- Stephen J Smoogen. -- BSD/GNU/Linux How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice"