[CentOS] Bind Firewall Rules

Wed Jul 23 15:01:58 UTC 2008
John Hinton <webmaster at ew3d.com>

John Hinton wrote:
> Johnny Hughes wrote:
>> John Hinton wrote:
>>> OK, so does anybody have a good firewall rule solution for what 
>>> we're supposed to be doing with bind these days? Obviously port 53 
>>> is no longer enough.
>>>
>>
>> how do you mean?
>>
>> opening port 53 in is still enough ... the outbound port is what is 
>> randomized
>>
>> not sure what kind of problems you are encountering
> I'm trying to pass the test on DNSstuff.com.
>
> These are my firewall rules for bind
>
> Accept     If protocol is TCP and destination port is 53 and state of
> connection is NEW
> Accept     If protocol is UDP and destination port is 53 and state of
> connection is NEW
>
> from my gui or
>
> -A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 53 --state NEW -j
> ACCEPT
> -A RH-Firewall-1-INPUT -p udp -m udp -m state --dport 53 --state NEW -j
> ACCEPT
>
> from iptables.
>
> I have upgraded bind, but when I remove this line from a config file,
> bind will not restart.
>
> query-source address * port 53;
>
> From what I read, the above line is supposed to be removed. My tests
> from outside states that I am vulnerable to cache injections.
>
> "*Based on the results, a DNS server is vulnerable if:*
> The IPs /AND/ the Query source ports match or the query IDs match.
> Matching query source ports or query IDs make it easier to spoof fake
> results to the DNS server, poisoning its cache."
>
> The IDs in the testing change, but the port stays the same.
>
> I read where the firewall rules need to be fixed due to this change, but
> firewalls have never been my strong point. I have a pretty darned good
> understanding of bind..... but firewalls, not so much.
>
> John
Do I just ask really hard questions or are my questions just not clear? 
There has to be others on this list that are running nameservers via 
CentOS. This seems to be a nasty issue that we who are running bind need 
to get right.

John Hinton