Hello, i have a question about DNS-Server connections. We have an prim. DNS-Server behind a Firewall with packetfiltering. In my rules i allow all hosts to connect from an port over 1023 to the DNS-Server port 53, the porblem where i have is than many Hosts (WAN) try to connect our DNS-Server vom port 53 to our port 53. Is it nessesary to open also lower port 53 from the source-adr. to the DNS-Server port 53, or shoud i reject connections where use a port-adr. lower then 1023 as source-port. Thank´s for your help. Harald
At 11:47 AM 15/11/2000 +0100, you wrote:
Hello,
i have a question about DNS-Server connections.
We have an prim. DNS-Server behind a Firewall with packetfiltering. In my rules i allow all hosts to connect from an port over 1023 to the DNS-Server port 53, the porblem where i have is than many Hosts (WAN) try to connect our DNS-Server vom port 53 to our port 53.
Is it nessesary to open also lower port 53 from the source-adr. to the DNS-Server port 53, or shoud i reject connections where use a port-adr. lower then 1023 as source-port. NO NO NO.. Don't ever filter based on source port as that can be set arbitrarily!!!
You should run separate dns caches on each segment of your network as it is only server -> client replies that use weird ports. server -> server stuff is all port 53. That means that you can happily filter based on destination port on all your differerent firewalls, and just leave the last jump to your client machines "unfirewalled" Email me back if you want further specifics, as secure network design is a BIIIG issue. HTH Cheers Nix
hf@wenglor.de wrote:
Is it nessesary to open also lower port 53 from the source-adr. to the DNS-Server port 53, or shoud i reject connections where use a port-adr. lower then 1023 as source-port.
Hello, AFIK the clients always ask _their_ nameservers for the adresses. The nameservers in turn try to resolve the adresses recursivly and give the final result back to the client. So actually there are other nameservers querying your nameserver for the adresses and the other nameservers use port 53 too. There is an option of using higher ports for newer BIND implementations I think, but trying to convince the rest of the internet that all would be better if all were using those unprivilleged ports may be a little bit difficult ;-) Greetings Roland
participants (3)
-
hf@wenglor.de
-
Nix
-
Roland Hilkenbach