On Mon, Jul 21, 2008 at 6:37 AM, John Hinton <webmaster@xxxxxxxx> wrote:
> Johnny Hughes wrote:
>>
>> John Hinton wrote:
>>>
>>> OK, so does anybody have a good firewall rule solution for what we're
>>> supposed to be doing with bind these days? Obviously port 53 is no longer
>>> enough.
>>>
>>
>> how do you mean?
>>
>> opening port 53 in is still enough ... the outbound port is what is
>> randomized
>>
>> not sure what kind of problems you are encountering
>
> I'm trying to pass the test on DNSstuff.com.
>
> These are my firewall rules for bind
>
> Accept If protocol is TCP and destination port is 53 and state of
> connection is NEW
> Accept If protocol is UDP and destination port is 53 and state of
> connection is NEW
>
> from my gui or
>
> -A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 53 --state NEW -j
> ACCEPT
> -A RH-Firewall-1-INPUT -p udp -m udp -m state --dport 53 --state NEW -j
> ACCEPT
>
> from iptables.
>
> I have upgraded bind, but when I remove this line from a config file,
> bind will not restart.
>
> query-source address * port 53;
>
> From what I read, the above line is supposed to be removed. My tests
> from outside states that I am vulnerable to cache injections.
>
I don't think your problem is with your firewall.. its with something
in the bind configs that is causieng bind not to work without the
query-source line. What errors are you seeing?
> "*Based on the results, a DNS server is vulnerable if:*
> The IPs /AND/ the Query source ports match or the query IDs match.
> Matching query source ports or query IDs make it easier to spoof fake
> results to the DNS server, poisoning its cache."
>
--
Stephen J Smoogen. -- BSD/GNU/Linux
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
