Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
 |
GNU/Linux Basic Guide
This 255-page guide will provide you with the keys to understand the philosophy of free software, teach you how to use and handle it, and give you the tools required to move easily in the world of GNU/Linux. Many users and administrators will be taking their first steps with this GNU/Linux Basic guide and it will show you how to approach and solve the problems you encounter.
Click Here to receive this Complete Guide absolutely free. |
|
 |
11-16-2004, 02:43 AM
|
#1
|
|
LQ Newbie
Registered: Nov 2004
Location: Sparks, NV
Distribution: RH7.3, RH8.0, FC10, COS4.5
Posts: 25
Rep: 
|
Exposing BIND to the internet
I want to set up a public DNS. I am already set up as a registered internet DNS. Besides jailing the latest version of BIND, what else do I need to know about securing my server?
What rule will enable port 53 to be open to the world? I've tried:
$IPTABLES -A INPUT -p udp -i $EXTIF -d $EXTIP --dport 53 -j ACCEPT
for simple queries and
$IPTABLES -A INPUT -p tcp -i $EXTIF -d $EXTIP --dport 53 -j ACCEPT
for zone transfers to no avail.
Thanks in advance.
Regards,
Eric S
|
|
|
|
|
11-16-2004, 10:16 AM
|
#2
|
|
LQ Newbie
Registered: Nov 2004
Location: Sparks, NV
Distribution: RH7.3, RH8.0, FC10, COS4.5
Posts: 25
Original Poster
Rep:
|
BTW: I have 2 boxes - box 1 RH7.3, box 2 RH 8.0 each with 2 NICs.
|
|
|
|
|
11-16-2004, 10:56 PM
|
#3
|
|
Member
Registered: May 2004
Posts: 552
Rep:
|
This is from my firewall script for public dns server.
Code:
# local: dns server
# Here we allow both incoming TCP/UDP requests from the outside world
# and outgoing TCP/UDP requests as well for recursive lookups from our internal network.
/sbin/iptables -A INPUT -i eth0 -j ACCEPT -p udp --dport 1025:65535 --sport domain
/sbin/iptables -A INPUT -i eth0 -j ACCEPT -p udp --dport domain
/sbin/iptables -A OUTPUT -o eth0 -j ACCEPT -p udp --sport domain
/sbin/iptables -A OUTPUT -o eth0 -j ACCEPT -p udp --dport domain
/sbin/iptables -A INPUT -i eth0 -j ACCEPT -p tcp --syn --dport domain
/sbin/iptables -A OUTPUT -o eth0 -j ACCEPT -p tcp --syn --dport domain
|
|
|
|
|
11-17-2004, 01:02 AM
|
#4
|
|
LQ Newbie
Registered: Nov 2004
Location: Sparks, NV
Distribution: RH7.3, RH8.0, FC10, COS4.5
Posts: 25
Original Poster
Rep:
|
Thanks for the reply, Randy.
Is "domain" supposed to be replaced with mydomain.com?
I'm not using a domain in my LAN, only for my internet site. I'm using a workgroup.
Regards,
Eric S
Last edited by erics_acvw; 11-17-2004 at 01:16 AM.
|
|
|
|
|
11-17-2004, 04:47 PM
|
#5
|
|
Senior Member
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
|
"domain" is the name of the service and maps to the reserved port (53) in /etc/services.
|
|
|
|
|
11-17-2004, 09:14 PM
|
#6
|
|
LQ Newbie
Registered: Nov 2004
Location: Sparks, NV
Distribution: RH7.3, RH8.0, FC10, COS4.5
Posts: 25
Original Poster
Rep:
|
Where in the chain were these rules? Anywhere I put it I get "The DNS server reported that it refuses to respond to the query." error when queried via www.dnsstuff.com. Without the rule the querie times out.
Regards,
Eric S |
|
|
|
|
11-17-2004, 09:59 PM
|
#7
|
|
Member
Registered: May 2004
Posts: 552
Rep:
|
That sounds like a bind configuration issue. Don't know anything about the dnsstuff site, personally I log into a shell account outside my network and use the unix dig command to do outside testing of my name server.
To answer your question, the -A argument places them at the end of the chain. Where exactly they go doesn't matter very much, as long as a rule higher up in the chain does not explicitly deny something you are later trying to accept.
If you can safely do this, you may try disabling the firewall for a short external test and see if the requests are successfully handled.
|
|
|
|
|
11-17-2004, 10:51 PM
|
#8
|
|
LQ Newbie
Registered: Nov 2004
Location: Sparks, NV
Distribution: RH7.3, RH8.0, FC10, COS4.5
Posts: 25
Original Poster
Rep:
|
Thanks Randy.
You are exactly correct on all items. I opened the firewall for a querie and got refused. Hmmm... I have 5 statics so I can test from inside, outside or via dnsstuff.com (the most informative).
I guess I have to take a closer look at BIND. Logs show some errors but reports success:
Nov 17 20:48:19 Utopia named[12596]: starting BIND 9.2.1 -u named
Nov 17 20:48:19 Utopia named[12596]: using 1 CPU
Nov 17 20:48:19 Utopia named[12599]: loading configuration from '/etc/named.conf'
Nov 17 20:48:19 Utopia named[12599]: no IPv6 interfaces found
Nov 17 20:48:19 Utopia named[12599]: listening on IPv4 interface lo, 127.0.0.1#53
Nov 17 20:48:19 Utopia named[12599]: listening on IPv4 interface brg0, 192.168.xx.xx#53
Nov 17 20:48:19 Utopia named[12599]: listening on IPv4 interface eth1, xx.xx.xx.xx#53
Nov 17 20:48:19 Utopia named[12599]: command channel listening on 127.0.0.1#953
Nov 17 20:48:19 Utopia named[12599]: /etc/named.conf:8: unknown logging category 'panic' ignored
Nov 17 20:48:19 Utopia named[12599]: /etc/named.conf:9: unknown logging category 'packet' ignored
Nov 17 20:48:19 Utopia named[12599]: /etc/named.conf:10: unknown logging category 'eventlib' ignored
Nov 17 20:48:19 Utopia named: named startup succeeded
So it looks like it's configured correctly. I'll look closer later. Right now I have to go play Dad.
Regards,
Eric S
Last edited by erics_acvw; 11-18-2004 at 12:50 AM.
|
|
|
|
|
11-18-2004, 01:34 AM
|
#9
|
|
LQ Newbie
Registered: Nov 2004
Location: Sparks, NV
Distribution: RH7.3, RH8.0, FC10, COS4.5
Posts: 25
Original Poster
Rep:
|
Got it! The problem was the firewall rule (thanks Randy) and the "allow-query { none; };" directive in named.conf "none" has to be "any").
Thanks again guys.
Regards,
Eric S
|
|
|
|
| Thread Tools |
Search this Thread |
|
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -5. The time now is 04:21 AM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
