Exposing BIND to the internet
I want to set up a public DNS. I am already set up as a registered internet DNS. Besides jailing the latest version of BIND, what else do I need to know about securing my server?
What rule will enable port 53 to be open to the world? I've tried: $IPTABLES -A INPUT -p udp -i $EXTIF -d $EXTIP --dport 53 -j ACCEPT for simple queries and $IPTABLES -A INPUT -p tcp -i $EXTIF -d $EXTIP --dport 53 -j ACCEPT for zone transfers to no avail. Thanks in advance. Regards, Eric S |
BTW: I have 2 boxes - box 1 RH7.3, box 2 RH 8.0 each with 2 NICs.
|
This is from my firewall script for public dns server.
Code:
# local: dns server |
Thanks for the reply, Randy.
Is "domain" supposed to be replaced with mydomain.com? I'm not using a domain in my LAN, only for my internet site. I'm using a workgroup. Regards, Eric S |
"domain" is the name of the service and maps to the reserved port (53) in /etc/services.
|
Where in the chain were these rules? Anywhere I put it I get "The DNS server reported that it refuses to respond to the query." error when queried via www.dnsstuff.com. Without the rule the querie times out.
Regards, Eric S |
That sounds like a bind configuration issue. Don't know anything about the dnsstuff site, personally I log into a shell account outside my network and use the unix dig command to do outside testing of my name server.
To answer your question, the -A argument places them at the end of the chain. Where exactly they go doesn't matter very much, as long as a rule higher up in the chain does not explicitly deny something you are later trying to accept. If you can safely do this, you may try disabling the firewall for a short external test and see if the requests are successfully handled. |
Thanks Randy.
You are exactly correct on all items. I opened the firewall for a querie and got refused. Hmmm... I have 5 statics so I can test from inside, outside or via dnsstuff.com (the most informative). I guess I have to take a closer look at BIND. Logs show some errors but reports success: Nov 17 20:48:19 Utopia named[12596]: starting BIND 9.2.1 -u named Nov 17 20:48:19 Utopia named[12596]: using 1 CPU Nov 17 20:48:19 Utopia named[12599]: loading configuration from '/etc/named.conf' Nov 17 20:48:19 Utopia named[12599]: no IPv6 interfaces found Nov 17 20:48:19 Utopia named[12599]: listening on IPv4 interface lo, 127.0.0.1#53 Nov 17 20:48:19 Utopia named[12599]: listening on IPv4 interface brg0, 192.168.xx.xx#53 Nov 17 20:48:19 Utopia named[12599]: listening on IPv4 interface eth1, xx.xx.xx.xx#53 Nov 17 20:48:19 Utopia named[12599]: command channel listening on 127.0.0.1#953 Nov 17 20:48:19 Utopia named[12599]: /etc/named.conf:8: unknown logging category 'panic' ignored Nov 17 20:48:19 Utopia named[12599]: /etc/named.conf:9: unknown logging category 'packet' ignored Nov 17 20:48:19 Utopia named[12599]: /etc/named.conf:10: unknown logging category 'eventlib' ignored Nov 17 20:48:19 Utopia named: named startup succeeded So it looks like it's configured correctly. I'll look closer later. Right now I have to go play Dad. Regards, Eric S |
Got it! The problem was the firewall rule (thanks Randy) and the "allow-query { none; };" directive in named.conf "none" has to be "any").
Thanks again guys. Regards, Eric S |
All times are GMT -5. The time now is 03:33 AM. |