LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Exposing BIND to the internet (http://www.linuxquestions.org/questions/linux-security-4/exposing-bind-to-the-internet-255437/)

erics_acvw 11-16-2004 03:43 AM

Exposing BIND to the internet
 
I want to set up a public DNS. I am already set up as a registered internet DNS. Besides jailing the latest version of BIND, what else do I need to know about securing my server?

What rule will enable port 53 to be open to the world? I've tried:
$IPTABLES -A INPUT -p udp -i $EXTIF -d $EXTIP --dport 53 -j ACCEPT
for simple queries and
$IPTABLES -A INPUT -p tcp -i $EXTIF -d $EXTIP --dport 53 -j ACCEPT
for zone transfers to no avail.

Thanks in advance.

Regards,
Eric S

erics_acvw 11-16-2004 11:16 AM

BTW: I have 2 boxes - box 1 RH7.3, box 2 RH 8.0 each with 2 NICs.

randyding 11-16-2004 11:56 PM

This is from my firewall script for public dns server.
Code:

    # local: dns server
    # Here we allow both incoming TCP/UDP requests from the outside world
    # and outgoing TCP/UDP requests as well for recursive lookups from our internal network.

    /sbin/iptables -A INPUT  -i eth0 -j ACCEPT -p udp --dport 1025:65535 --sport domain
    /sbin/iptables -A INPUT  -i eth0 -j ACCEPT -p udp --dport domain
    /sbin/iptables -A OUTPUT -o eth0 -j ACCEPT -p udp --sport domain
    /sbin/iptables -A OUTPUT -o eth0 -j ACCEPT -p udp --dport domain
    /sbin/iptables -A INPUT  -i eth0 -j ACCEPT -p tcp --syn --dport domain
    /sbin/iptables -A OUTPUT -o eth0 -j ACCEPT -p tcp --syn --dport domain


erics_acvw 11-17-2004 02:02 AM

Thanks for the reply, Randy.

Is "domain" supposed to be replaced with mydomain.com?

I'm not using a domain in my LAN, only for my internet site. I'm using a workgroup.

Regards,
Eric S

chort 11-17-2004 05:47 PM

"domain" is the name of the service and maps to the reserved port (53) in /etc/services.

erics_acvw 11-17-2004 10:14 PM

Where in the chain were these rules? Anywhere I put it I get "The DNS server reported that it refuses to respond to the query." error when queried via www.dnsstuff.com. Without the rule the querie times out.

Regards,
Eric S

randyding 11-17-2004 10:59 PM

That sounds like a bind configuration issue. Don't know anything about the dnsstuff site, personally I log into a shell account outside my network and use the unix dig command to do outside testing of my name server.

To answer your question, the -A argument places them at the end of the chain. Where exactly they go doesn't matter very much, as long as a rule higher up in the chain does not explicitly deny something you are later trying to accept.

If you can safely do this, you may try disabling the firewall for a short external test and see if the requests are successfully handled.

erics_acvw 11-17-2004 11:51 PM

Thanks Randy.

You are exactly correct on all items. I opened the firewall for a querie and got refused. Hmmm... I have 5 statics so I can test from inside, outside or via dnsstuff.com (the most informative).

I guess I have to take a closer look at BIND. Logs show some errors but reports success:

Nov 17 20:48:19 Utopia named[12596]: starting BIND 9.2.1 -u named
Nov 17 20:48:19 Utopia named[12596]: using 1 CPU
Nov 17 20:48:19 Utopia named[12599]: loading configuration from '/etc/named.conf'
Nov 17 20:48:19 Utopia named[12599]: no IPv6 interfaces found
Nov 17 20:48:19 Utopia named[12599]: listening on IPv4 interface lo, 127.0.0.1#53
Nov 17 20:48:19 Utopia named[12599]: listening on IPv4 interface brg0, 192.168.xx.xx#53
Nov 17 20:48:19 Utopia named[12599]: listening on IPv4 interface eth1, xx.xx.xx.xx#53
Nov 17 20:48:19 Utopia named[12599]: command channel listening on 127.0.0.1#953
Nov 17 20:48:19 Utopia named[12599]: /etc/named.conf:8: unknown logging category 'panic' ignored
Nov 17 20:48:19 Utopia named[12599]: /etc/named.conf:9: unknown logging category 'packet' ignored
Nov 17 20:48:19 Utopia named[12599]: /etc/named.conf:10: unknown logging category 'eventlib' ignored
Nov 17 20:48:19 Utopia named: named startup succeeded

So it looks like it's configured correctly. I'll look closer later. Right now I have to go play Dad.

Regards,
Eric S

erics_acvw 11-18-2004 02:34 AM

Got it! The problem was the firewall rule (thanks Randy) and the "allow-query { none; };" directive in named.conf "none" has to be "any").

Thanks again guys.

Regards,
Eric S


All times are GMT -5. The time now is 10:34 AM.