OK, so does anybody have a good firewall rule solution for what we're supposed to be doing with bind these days? Obviously port 53 is no longer enough. TIA John Hinton
On Sat, 2008-07-19 at 15:27 -0400, John Hinton wrote:> OK, so does anybody have a good firewall rule solution for what we're > supposed to be doing with bind these days? Obviously port 53 is no > longer enough.---- are you opening both tcp and udp? Craig
John Hinton wrote:> OK, so does anybody have a good firewall rule solution for what we're > supposed to be doing with bind these days? Obviously port 53 is no > longer enough. >how do you mean? opening port 53 in is still enough ... the outbound port is what is randomized not sure what kind of problems you are encountering -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 251 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20080720/895b280f/attachment-0001.sig>
Johnny Hughes wrote:> John Hinton wrote: >> OK, so does anybody have a good firewall rule solution for what we're >> supposed to be doing with bind these days? Obviously port 53 is no >> longer enough. >> > > how do you mean? > > opening port 53 in is still enough ... the outbound port is what is > randomized > > not sure what kind of problems you are encounteringI'm trying to pass the test on DNSstuff.com. These are my firewall rules for bind Accept If protocol is TCP and destination port is 53 and state of connection is NEW Accept If protocol is UDP and destination port is 53 and state of connection is NEW from my gui or -A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 53 --state NEW -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp -m state --dport 53 --state NEW -j ACCEPT from iptables. I have upgraded bind, but when I remove this line from a config file, bind will not restart. query-source address * port 53; From what I read, the above line is supposed to be removed. My tests from outside states that I am vulnerable to cache injections. "*Based on the results, a DNS server is vulnerable if:* The IPs /AND/ the Query source ports match or the query IDs match. Matching query source ports or query IDs make it easier to spoof fake results to the DNS server, poisoning its cache." The IDs in the testing change, but the port stays the same. I read where the firewall rules need to be fixed due to this change, but firewalls have never been my strong point. I have a pretty darned good understanding of bind..... but firewalls, not so much. John> > ------------------------------------------------------------------------ > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >
On Wed, 23 Jul 2008 12:40:42 -0400, John Hinton wrote> I'm running caching nameservers on almost all of my systems and then > also three nameservers. All are available publicly. I too had hard > coded bind to port 53. I also had specifically opened port 53 > through the firewall. But now, it appears that using only port 53 is > a bad thing. From what I read, both the port and the ID need to > change to be secure > (even this is just security through obscurity). It's sounding like > I'll need to open a port range, but I don't know what a 'good > practice' will be.Port 53 is the dns port used by the world (and your internal private networks) to query your name server. If your name server is intended to provide domain resolution publicly just how do you expect the public to find it if you're randomly changing ports? The world won't port scan your machine until it finds a name server answering on one of them. Dns requests, internal or external, will come into your box on port 53 and there would be no point to running a name server (private, public, caching or otherwise) if this port is not open through the firewall. You've mis-understood the issues of dns security. It would be dangerous to start messing with your firewall rules until you understand exactly how the process works.
On Sat, Jul 19, 2008 at 2:27 PM, John Hinton <webmaster at ew3d.com> wrote:> OK, so does anybody have a good firewall rule solution for what we're > supposed to be doing with bind these days? Obviously port 53 is no longer > enough.Consider using djbdns instead of BIND. It sounds like an excellent alternative to BIND. <http://en.wikipedia.org/wiki/Djbdns>
Bill Campbell wrote:> On Wed, Jul 23, 2008, Lanny Marcus wrote: > >> On Sat, Jul 19, 2008 at 2:27 PM, John Hinton <webmaster at ew3d.com> wrote: >> >>> OK, so does anybody have a good firewall rule solution for what we're >>> supposed to be doing with bind these days? Obviously port 53 is no longer >>> enough. >>> >> Consider using djbdns instead of BIND. It sounds like an excellent alternative >> to BIND. >> > > We have been using djbdns for years on a variety of Linux platforms and > FreeBSD, largely because (a) security, (b) performance, and (c) ease of > use. Not everybody likes Dan Bernstein, but I figure he's somewhat of a > curmudgeon who designs good software. >I know Dan personally, and think I was there during some of the big blowups (well the ones I was there for were big...). He definitely had/has a problem with 'the in crowd', and decided to put his money where his mouth was. I think most have benefited from this. Including the 'in crowd'. But I also know Vixie etal quite well and I stay with BIND. Each to their own machinzations, IMNSHO.> As for not having it supported on CentOS, I really don't care about that as > the majority of the server software we use is built under the OpenPKG.org > portable packaging system, independent of the underlying OS vendor's > packaging system. > > Bill >