At 11:47 AM 15/11/2000 +0100, you wrote:
Hello,
i have a question about DNS-Server connections.
We have an prim. DNS-Server behind a Firewall with packetfiltering. In my rules i allow all hosts to connect from an port over 1023 to the DNS-Server port 53, the porblem where i have is than many Hosts (WAN) try to connect our DNS-Server vom port 53 to our port 53.
Is it nessesary to open also lower port 53 from the source-adr. to the DNS-Server port 53, or shoud i reject connections where use a port-adr. lower then 1023 as source-port. NO NO NO.. Don't ever filter based on source port as that can be set arbitrarily!!!
You should run separate dns caches on each segment of your network as it is only server -> client replies that use weird ports. server -> server stuff is all port 53. That means that you can happily filter based on destination port on all your differerent firewalls, and just leave the last jump to your client machines "unfirewalled" Email me back if you want further specifics, as secure network design is a BIIIG issue. HTH Cheers Nix