[CentOS] Bind Firewall Rules

Wed Jul 23 17:12:57 UTC 2008
John Hinton <webmaster at ew3d.com>

Paul A wrote:
> Correct me if I'm wrong but from my understanding doesn't the new BIND
> randomize outgoing source ports only? - If so then if you have your firewall
> to allow established connections you should be all set.
>   
Maybe I'm just missing something... I have

-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 53 --state NEW -j 
ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp -m state --dport 53 --state NEW -j 
ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

I'm not very good with firewall rules, but I assume these are the three 
that are important?

I also read within the named.conf file, lines such as

query-source address * port 53;

need to be removed.

Yet when I remove that line, bind will not restart. This is the only 
place in my named.conf file where port 53 is referenced.

Testing from the outside world, shows that only port 53 is being used on 
their returns and I'm getting injection potential warnings. This is from 
dnsstuff.com. What they say is that both the query source port and the 
ID need to change. Obviously, I have the query source port set to 53.

Somehow, I need to get past this port issue.

John Hinton
> P.A > -----Original Message-----
> P.A > From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On
> P.A > Behalf Of John Hinton
> P.A > Sent: Wednesday, July 23, 2008 12:41 PM
> P.A > To: CentOS mailing list
> P.A > Subject: Re: [CentOS] Bind Firewall Rules
> P.A > 
> P.A > nate wrote:
> P.A > > John Hinton wrote:
> P.A > >
> P.A > >> Do I just ask really hard questions or are my questions just not
> P.A > clear?
> P.A > >> There has to be others on this list that are running nameservers
> P.A > via
> P.A > >> CentOS. This seems to be a nasty issue that we who are running bind
> P.A > need
> P.A > >> to get right.
> P.A > >>
> P.A > >
> P.A > > And the fix is really stupid for those running name servers behind
> P.A > firewalls.
> P.A > >
> P.A > > I can't say I'm an expert on this particular issue but from what
> P.A > I've
> P.A > > read it seems like the attack depends on being able to send queries
> P.A > to
> P.A > > the name server in question in order to predict the IDs that the
> P.A > system
> P.A > > is generating.
> P.A > >
> P.A > > The way my DNS is setup at home is that I have 2 "external" name
> P.A > servers
> P.A > > that do not allow recursion for domains that they are not
> P.A > responsible
> P.A > > for other than for a couple trusted IPs(all of which are local). My
> P.A > > main caching name server is internal to my network and cannot be
> P.A > directly
> P.A > > queried from the internet. As such I think my exposure is pretty
> P.A > low.
> P.A > > All of my name servers are setup to force their source port to be
> P.A > 53,
> P.A > > I really really don't like the idea of opening up tens of thousands
> P.A > of
> P.A > > ports back to my name servers.
> P.A > >
> P.A > > So I suspect, if your caching name servers are only vulnerable if
> P.A > they
> P.A > > can be sent queries from the attacker. If your internal network is
> P.A > > trusted then I think your fairly safe as long as you don't allow
> P.A > > access to the caching name servers externally. And of course run
> P.A > > dedicated name servers for authoritative hosting.
> P.A > >
> P.A > > I plan to have a similar setup at my company, the external
> P.A > authoritative
> P.A > > servers are not behind a firewall(F5 Global traffic managers), the
> P.A > > internal ones are not accessible outside the network. DNS cache
> P.A > > poisoning is the least of my worries if an attacker has access to
> P.A > the
> P.A > > internal network.
> P.A > >
> P.A > > nate
> P.A > >
> P.A > >
> P.A > I'm running caching nameservers on almost all of my systems and then
> P.A > also three nameservers. All are available publicly. I too had hard
> P.A > coded
> P.A > bind to port 53. I also had specifically opened port 53 through the
> P.A > firewall. But now, it appears that using only port 53 is a bad thing.
> P.A >  From what I read, both the port and the ID need to change to be
> P.A > secure
> P.A > (even this is just security through obscurity). It's sounding like
> P.A > I'll
> P.A > need to open a port range, but I don't know what a 'good practice'
> P.A > will be.
> P.A > 
> P.A > I read through the redhat notes, googled and read all over the place.
> P.A > All I seem to find is to remove the named.conf line that forces bind
> P.A > through port 53 and then statements like 'your firewall will need to
> P.A > be
> P.A > adjusted accordingly', with no good suggestions for how to do this.
> P.A > 
> P.A > So, I'm faced with turning off the firewall to show good external
> P.A > testing on bind.... sort of like unlocking every window and door to a
> P.A > house, in order try to keep someone from trying to open just one.
> P.A > 
> P.A > John Hinton
> P.A > _______________________________________________
> P.A > CentOS mailing list
> P.A > CentOS at centos.org
> P.A > http://lists.centos.org/mailman/listinfo/centos
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>