LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-16-2004, 02:43 AM   #1
erics_acvw
LQ Newbie
 
Registered: Nov 2004
Location: Sparks, NV
Distribution: RH7.3, RH8.0, FC10, COS4.5
Posts: 25

Rep: Reputation: 16
Exposing BIND to the internet


I want to set up a public DNS. I am already set up as a registered internet DNS. Besides jailing the latest version of BIND, what else do I need to know about securing my server?

What rule will enable port 53 to be open to the world? I've tried:
$IPTABLES -A INPUT -p udp -i $EXTIF -d $EXTIP --dport 53 -j ACCEPT
for simple queries and
$IPTABLES -A INPUT -p tcp -i $EXTIF -d $EXTIP --dport 53 -j ACCEPT
for zone transfers to no avail.

Thanks in advance.

Regards,
Eric S
 
Old 11-16-2004, 10:16 AM   #2
erics_acvw
LQ Newbie
 
Registered: Nov 2004
Location: Sparks, NV
Distribution: RH7.3, RH8.0, FC10, COS4.5
Posts: 25

Original Poster
Rep: Reputation: 16
BTW: I have 2 boxes - box 1 RH7.3, box 2 RH 8.0 each with 2 NICs.
 
Old 11-16-2004, 10:56 PM   #3
randyding
Member
 
Registered: May 2004
Posts: 552

Rep: Reputation: 31
This is from my firewall script for public dns server.
Code:
    # local: dns server
    # Here we allow both incoming TCP/UDP requests from the outside world
    # and outgoing TCP/UDP requests as well for recursive lookups from our internal network.

    /sbin/iptables -A INPUT  -i eth0 -j ACCEPT -p udp --dport 1025:65535 --sport domain
    /sbin/iptables -A INPUT  -i eth0 -j ACCEPT -p udp --dport domain
    /sbin/iptables -A OUTPUT -o eth0 -j ACCEPT -p udp --sport domain
    /sbin/iptables -A OUTPUT -o eth0 -j ACCEPT -p udp --dport domain
    /sbin/iptables -A INPUT  -i eth0 -j ACCEPT -p tcp --syn --dport domain
    /sbin/iptables -A OUTPUT -o eth0 -j ACCEPT -p tcp --syn --dport domain
 
Old 11-17-2004, 01:02 AM   #4
erics_acvw
LQ Newbie
 
Registered: Nov 2004
Location: Sparks, NV
Distribution: RH7.3, RH8.0, FC10, COS4.5
Posts: 25

Original Poster
Rep: Reputation: 16
Thanks for the reply, Randy.

Is "domain" supposed to be replaced with mydomain.com?

I'm not using a domain in my LAN, only for my internet site. I'm using a workgroup.

Regards,
Eric S

Last edited by erics_acvw; 11-17-2004 at 01:16 AM.
 
Old 11-17-2004, 04:47 PM   #5
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
"domain" is the name of the service and maps to the reserved port (53) in /etc/services.
 
Old 11-17-2004, 09:14 PM   #6
erics_acvw
LQ Newbie
 
Registered: Nov 2004
Location: Sparks, NV
Distribution: RH7.3, RH8.0, FC10, COS4.5
Posts: 25

Original Poster
Rep: Reputation: 16
Where in the chain were these rules? Anywhere I put it I get "The DNS server reported that it refuses to respond to the query." error when queried via www.dnsstuff.com. Without the rule the querie times out.

Regards,
Eric S
 
Old 11-17-2004, 09:59 PM   #7
randyding
Member
 
Registered: May 2004
Posts: 552

Rep: Reputation: 31
That sounds like a bind configuration issue. Don't know anything about the dnsstuff site, personally I log into a shell account outside my network and use the unix dig command to do outside testing of my name server.

To answer your question, the -A argument places them at the end of the chain. Where exactly they go doesn't matter very much, as long as a rule higher up in the chain does not explicitly deny something you are later trying to accept.

If you can safely do this, you may try disabling the firewall for a short external test and see if the requests are successfully handled.
 
Old 11-17-2004, 10:51 PM   #8
erics_acvw
LQ Newbie
 
Registered: Nov 2004
Location: Sparks, NV
Distribution: RH7.3, RH8.0, FC10, COS4.5
Posts: 25

Original Poster
Rep: Reputation: 16
Thanks Randy.

You are exactly correct on all items. I opened the firewall for a querie and got refused. Hmmm... I have 5 statics so I can test from inside, outside or via dnsstuff.com (the most informative).

I guess I have to take a closer look at BIND. Logs show some errors but reports success:

Nov 17 20:48:19 Utopia named[12596]: starting BIND 9.2.1 -u named
Nov 17 20:48:19 Utopia named[12596]: using 1 CPU
Nov 17 20:48:19 Utopia named[12599]: loading configuration from '/etc/named.conf'
Nov 17 20:48:19 Utopia named[12599]: no IPv6 interfaces found
Nov 17 20:48:19 Utopia named[12599]: listening on IPv4 interface lo, 127.0.0.1#53
Nov 17 20:48:19 Utopia named[12599]: listening on IPv4 interface brg0, 192.168.xx.xx#53
Nov 17 20:48:19 Utopia named[12599]: listening on IPv4 interface eth1, xx.xx.xx.xx#53
Nov 17 20:48:19 Utopia named[12599]: command channel listening on 127.0.0.1#953
Nov 17 20:48:19 Utopia named[12599]: /etc/named.conf:8: unknown logging category 'panic' ignored
Nov 17 20:48:19 Utopia named[12599]: /etc/named.conf:9: unknown logging category 'packet' ignored
Nov 17 20:48:19 Utopia named[12599]: /etc/named.conf:10: unknown logging category 'eventlib' ignored
Nov 17 20:48:19 Utopia named: named startup succeeded

So it looks like it's configured correctly. I'll look closer later. Right now I have to go play Dad.

Regards,
Eric S

Last edited by erics_acvw; 11-18-2004 at 12:50 AM.
 
Old 11-18-2004, 01:34 AM   #9
erics_acvw
LQ Newbie
 
Registered: Nov 2004
Location: Sparks, NV
Distribution: RH7.3, RH8.0, FC10, COS4.5
Posts: 25

Original Poster
Rep: Reputation: 16
Got it! The problem was the firewall rule (thanks Randy) and the "allow-query { none; };" directive in named.conf "none" has to be "any").

Thanks again guys.

Regards,
Eric S
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
best tutorial on the internet for DNS & bind jkmartha Linux - Software 1 06-18-2005 08:15 AM
BIND 9.3.0 Help Pizentios Linux - Software 1 06-01-2005 10:34 AM
How do I revert to Bind 8 from Bind 9? digging4roots Linux - Newbie 3 06-08-2002 04:40 PM
To 'Bind' or not to 'Bind' that is the question jsurgeson Linux - Newbie 2 03-24-2002 03:10 AM
Bind c0c0deuz Linux - Networking 0 12-13-2001 05:33 AM


All times are GMT -5. The time now is 02:26 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration