Date: Fri, 11 Jan 2002 04:03:43 +1100 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: X Philius <xphilius@yahoo.com> Cc: "G.P. de Boer" <g.p.de.boer@st.hanze.nl>, security@FreeBSD.ORG, Dave Raven <dave@kill-9.za.net> Subject: Re: Help with ipfw rules to allow DNS queries through Message-ID: <Pine.BSF.3.96.1020111033032.9201A-100000@gaia.nimnet.asn.au> In-Reply-To: <20020110034527.76936.qmail@web11804.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 9 Jan 2002, X Philius wrote: > I solved the mystery. It looks like Cisco routers can mangle UDP > packets involved in DNS queries. The NAT can translate addresses within > the packet, as well as the destination, and this messes things up. Last browse through your rules looked ok, and I was gonna say "must be NAT, or your Cisco, then" but hadn't got back to you. Surely this must be adjustable in the Cisco setup? If not, it's broken and needs fixing. > This does not effect zone transfers (which I believe is all I really > need to be authorative on a domain or six) but does prevent access > of my DNS server from outside our local net. Not so; your nameserver needs (agrees!) to be available if it's primary (or secondary) for any domain/s, _as well as_ allowing zxfrs to your secondary/s, and from any domains you will be a secondary for. Best handled with bind ACLs, but limiting access by ipfw also doesn't hurt, and will save named handling scripted scans, which you can expect .. > A search through the bind e-list > didn't give me any solution to the problem, but at least I know I'm not > nuts. Well, maybe a little nuts, but not about this ;-) Thanks for the > help, I'm off to work on the next conundrum.... This is NOT a bind problem - you need to get that Cisco doing the right thing (ie nothing but clean NAT) for your DNS, or else run NAT locally inside, or Whatever It Takes to get clean UDP port 53 outside access to your nameserver to be authoritative for a domain. Most likely you won't get any domain delegated until and unless that's working from anywhere. tcpdump and thick (level 2/3) named logging are still your best friends while you're figuring out how DNS really works (still a learner here! :) Cheers, Ian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.1020111033032.9201A-100000>