Re Bruno
Please do make an effort to do your homework and read up on the subject yourself.
... sorry ... !!!! .... I said some days before I'm quiet new with firewalling, so I don't know what's just usual and what not ... ... otherwise I'm not new with networking ...
Oh, there's no problem with being a newbie at all, and you are a rather well-behaved one. ;-)
... and I thought this Mailing-List is to help if somebody has a problem ... isn't it ?
Sure. I believe that's what we're doing, wouldn't you agree? Still, I feel we must be allowed to (politely) urge people to RTM.
So, I've blocked everything with UDP going out except 53 ... is that ok ?
Well, there's no answer to that, really, not at the moment. We have no way of telling if that's OK for you, we don't know your requirements, your risks, etc. It's a typical constellation, if that's any help to you. However, I wouldn't enforce DNS security with a packet filter alone, I'd set up a caching proxy for that, preferrably dnscache from the djbdns suite, but coupled with a good packet filter, BIND shouldn't pose all too much of a threat either, if you can live with its deficiencies. Note: No discussion BIND vs. djbdns, please, this is my own, personal opinion. We've dealt with the topic before. Cheers, Tobias