From owner-freebsd-questions Thu Mar 23 16:19:46 2000 Delivered-To: freebsd-questions@freebsd.org Received: from ptavv.es.net (ptavv.es.net [198.128.4.29]) by hub.freebsd.org (Postfix) with ESMTP id 9A4C337BBE3 for ; Thu, 23 Mar 2000 16:19:40 -0800 (PST) (envelope-from oberman@ptavv.es.net) Received: from ptavv.es.net (localhost [127.0.0.1]) by ptavv.es.net (8.9.3/8.8.8) with ESMTP id QAA22485; Thu, 23 Mar 2000 16:19:31 -0800 (PST) Message-Id: <200003240019.QAA22485@ptavv.es.net> To: keramida@ceid.upatras.gr Cc: J A Shamsi , freebsd-questions@FreeBSD.ORG Subject: Re: DNS and FIREWALL In-reply-to: Your message of "Fri, 24 Mar 2000 01:35:02 +0200." <20000324013459.I654@hades.hell.gr> Date: Thu, 23 Mar 2000 16:19:31 -0800 From: "Kevin Oberman" Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > Date: Fri, 24 Mar 2000 01:35:02 +0200 > From: Giorgos Keramidas > Sender: owner-freebsd-questions@FreeBSD.ORG > > On Thu, Mar 23, 2000 at 09:55:41AM -0800, J A Shamsi wrote: > > > Hello I am trying to configure DNS on a machine protected by firewall. > > I have named 8.xx do I need to use port 53 specifically. > > Yes, you have to allow explicitly at least udp/53 for client queries. > Now, if your named has some secondary zones from other servers, or some > server outside the firewall is playing backup server for your zones, you > might also find it useful to allow tcp/53 through. > > Being selective on who gets allowed to connect to port tcp/53 is not a > bad thing. For instance if you just want your named to play secondary > for some zone, no need to allow incoming tcp/53 connections. You can > make your named use a non-priviledged ephemeral port for queries, and > allow only outgoing connections to tcp/53. I'm afraid that this is a very bad idea. The specifications are explicit that a UDP transfer is tried (except for zone transfers) and, if the data is too large for a UDP transfer (512 octets), a TCP connection is made. The 512 octet limit is specified in the DNS RFC and BIND enforces this limit. Unless you want to fight a bunch of weird DNS problems you must open up both TCP and UDP port 53 access from outside your firewall. Also note that BIND 8 sources the queries from the normal non-privileged ports and not 53. This can also cause problems with firewalls. Finally, be sure that you are using BIND 8.2.2P5 or later. All older versions are subject to a significant security problem. Anyone doing much of anything with BIND should get a copy of DNS & BIND by Albitz and Liu and published by O'Reilly and Assoc. Make sure that it is the third edition as older ones don't cover V8. You might also want to have a copies of RFC-1035 and RFC-2671, the actual standards and RFC-2181 which clarifies many point that caused confusion in the specs. R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message