SLUG Mailing List Archives
Re: [SLUG] re: ipchains and dns server
- To: Michael Fox <michaelf@xxxxxxxxxx>
- Subject: Re: [SLUG] re: ipchains and dns server
- From: Damien Gardner Jnr <rendrag@xxxxxxxxxxx>
- Date: Wed Aug 23 01:49:54 2000
- Cc: slug@xxxxxxxxxxx
- User-agent: Mutt/1.0.1i
On Tue, Aug 22, 2000 at 10:19:52PM +1000, Michael Fox said:
--> The machine hosts several domains, so I have to make sure that named will
--> communicate to the outside world to do zone-xfers.
--> So could someone be so kind to put me out of my pain and show me how they
--> have done the the dns bit, especially when using a default input policy of
--> I need to open up the right ports/protocols to allow nslookup to work and
--> also zone-xfers to the secdonary.
I've got basically the same policy setup on a remote box which lives at mum's in Central Vic..
BIND usually uses udp for doing dns lookups, but when doing zone transfers, or if the results of the lookup exceed the size of a udp packet, it will revert to tcp. You need to allow in tcp and udp to port 53 of your dns server - something like the following:
# Allow DNS would help somewhat
## In to ns1
/sbin/ipchains -I input -j ACCEPT -p tcp -d 18.104.22.168 53
/sbin/ipchains -I input -j ACCEPT -p udp -d 22.214.171.124 53
/sbin/ipchains -I input -j ACCEPT -p tcp -s 0/0 53 -d 126.96.36.199
/sbin/ipchains -I input -j ACCEPT -p udp -s 0/0 53 -d 188.8.131.52
You'll also want to make sure your named is bound to port 53 for it's query-source - otherwise it'll pick a random source port, and make it nigh on impossible to do your firewall rules to allow it back in..
# Put this in your named.conf
query-source address 184.108.40.206 port 53;
Oh yeah, and replace 220.127.116.11 with the IP of your dns server.. :)
Damien Gardner Jnr - Dip.EE StudIEAust
rendrag@xxxxxxxxxxx - http://www.rendrag.net/
Ph: 0417 055 052 - Fax: 02 6299 9713
-- Can I trade this job for what's behind door # 2?