John Hinton wrote: > Johnny Hughes wrote: >> John Hinton wrote: >>> OK, so does anybody have a good firewall rule solution for what >>> we're supposed to be doing with bind these days? Obviously port 53 >>> is no longer enough. >>> >> >> how do you mean? >> >> opening port 53 in is still enough ... the outbound port is what is >> randomized >> >> not sure what kind of problems you are encountering > I'm trying to pass the test on DNSstuff.com. > > These are my firewall rules for bind > > Accept If protocol is TCP and destination port is 53 and state of > connection is NEW > Accept If protocol is UDP and destination port is 53 and state of > connection is NEW > > from my gui or > > -A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 53 --state NEW -j > ACCEPT > -A RH-Firewall-1-INPUT -p udp -m udp -m state --dport 53 --state NEW -j > ACCEPT > > from iptables. > > I have upgraded bind, but when I remove this line from a config file, > bind will not restart. > > query-source address * port 53; > > From what I read, the above line is supposed to be removed. My tests > from outside states that I am vulnerable to cache injections. > > "*Based on the results, a DNS server is vulnerable if:* > The IPs /AND/ the Query source ports match or the query IDs match. > Matching query source ports or query IDs make it easier to spoof fake > results to the DNS server, poisoning its cache." > > The IDs in the testing change, but the port stays the same. > > I read where the firewall rules need to be fixed due to this change, but > firewalls have never been my strong point. I have a pretty darned good > understanding of bind..... but firewalls, not so much. > > John Do I just ask really hard questions or are my questions just not clear? There has to be others on this list that are running nameservers via CentOS. This seems to be a nasty issue that we who are running bind need to get right. John Hinton