Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 31 Dec 1998 08:15:08 -0700
From:      Wes =?iso-8859-1?Q?Peters=D4?==?iso-8859-1?Q?=40=21=EA?= =?iso-8859-1?Q?=80?==?iso-8859-1?Q?=EA?==?iso-8859-1?Q?=80=DD=E7?= =?iso-8859-1?Q?=805=EA?==?iso-8859-1?Q?=C0?==?iso-8859-1?Q?=EA?=  <wes@softweyr.com>
To:        "Joseph T. Lee" <nugundam@la.best.com>
Cc:        Dean <dean@thegrid.net>, Mike Holling <myke@ees.com>, freebsd-security@FreeBSD.ORG
Subject:   Re: ipfw and DNS
Message-ID:  <368B94FC.61C6391E@softweyr.com>
References:  <Pine.BSF.4.03.9812291333110.388-100000@phluffy.fks.bt> <368AF355.F8AA6397@thegrid.net> <19981231022419.A13483@la.best.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
"Joseph T. Lee" wrote:
> 
> On Wed, Dec 30, 1998 at 07:45:25PM -0800, Dean wrote:
> > Mike Holling wrote:
> >
> > > I have the same question you do about DNS.  One of my clients is using a
> > > machine to IP masquerade his LAN onto the Internet via DSL link.  His
> > > provider believes they will be able to successfully keep people from
> > > "running servers" by monitoring traffic and probing connected machines.
> > > Thus, they state that if they detect a DNS server running on his machine
> > > they will charge him $500/mo extra.  Right now the machine is running a
> > > local caching server for the LAN, and I can't think of any good way to
> > > keep external machines from querying it while still allowing responses
> > > from other DNS servers back in. Please let me know if you get any good
> > > answers.
> 
> This is easy.  I've done this because somebody was pinging my IP for
> DNS queries for a while when I didn't authorize nor advertise it.
> 
> You can either authorize only a certain group of IPs to access the DNS
> server, as supported by DNS through the Bind 8 equavalent syntax of
> allow-query-by,

If you're running FreeBSD 3.0, it looks like the following syntax might
work:

	options {
	        directory "/var/named";
	        allow-query { localnets; !any; };
		^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
	};

Be warned: I haven't tried this.  My DNS server is still running 2.2.7, and
is only a secondary for my domain.  The primary is on Solaris, somewhere off
in ISP land.


-- 
       "Where am I, and what am I doing in this handbasket?"

Wes Peters                                                 Softweyr LLC
http://www.softweyr.com/~softweyr                      wes@softweyr.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?368B94FC.61C6391E>