Re: Bind Firewall Rules

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Johnny Hughes wrote:
John Hinton wrote:
OK, so does anybody have a good firewall rule solution for what we're supposed to be doing with bind these days? Obviously port 53 is no longer enough.


how do you mean?

opening port 53 in is still enough ... the outbound port is what is randomized

not sure what kind of problems you are encountering
I'm trying to pass the test on DNSstuff.com.

These are my firewall rules for bind

Accept     If protocol is TCP and destination port is 53 and state of
connection is NEW
Accept     If protocol is UDP and destination port is 53 and state of
connection is NEW

from my gui or

-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 53 --state NEW -j
ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp -m state --dport 53 --state NEW -j
ACCEPT

from iptables.

I have upgraded bind, but when I remove this line from a config file,
bind will not restart.

query-source address * port 53;

From what I read, the above line is supposed to be removed. My tests
from outside states that I am vulnerable to cache injections.

"*Based on the results, a DNS server is vulnerable if:*
The IPs /AND/ the Query source ports match or the query IDs match.
Matching query source ports or query IDs make it easier to spoof fake
results to the DNS server, poisoning its cache."

The IDs in the testing change, but the port stays the same.

I read where the firewall rules need to be fixed due to this change, but
firewalls have never been my strong point. I have a pretty darned good
understanding of bind..... but firewalls, not so much.

John

------------------------------------------------------------------------

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux