LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   How to secure port 53 (https://www.linuxquestions.org/questions/linux-newbie-8/how-to-secure-port-53-a-4175420229/)

XenaneX 08-03-2012 03:19 PM

How to secure port 53
 
Shields Up! (https://www.grc.com) reports I have port 53 (Domain Name Server) open. I would like to make it invisible to the outside world but don't know how to do this. Can someone help please? Thanks very much.

acid_kewpie 08-03-2012 05:01 PM

why do you have it at all in the first place? What is it? What kind of network are you running publicly? We need useful information to give useful advice.

unSpawn 08-03-2012 05:11 PM

Stealth was a craze people succumbed to in the previous millennium. Today you should focus on proper hardening. If you want to block outside access to UDP/53 and TCP/53 you could:
0) block it in your router if you are behind one and use NAT, or
1) make the resolver listen only on your LAN subnet and block queries from outside it, deny outside hosts to access the service via /etc/hosts.deny (if the resolver was compiled with libwrap) and block it in the hosts firewall.

acid_kewpie 08-03-2012 05:36 PM

It reads to me that they aren't really aware of what a DNS server is in the first place, and probably wants to get rid of whatever it is. May well be wrong though.

XenaneX 08-03-2012 05:44 PM

I'm not running any kind of network and internet is via wired ethernet. I have a rather lengthy hosts file and am behind a firewall. Maybe I am worrying too much. Thanks very much for the help and tips. I am very appreciative and hope I didn't waste anyone's time.

unSpawn 08-03-2012 06:21 PM

Quote:

Originally Posted by XenaneX (Post 4745373)
I'm not running any kind of network and internet is via wired ethernet.

If you don't do router NAT then it could be it picks up your ISP's filtering?..


Quote:

Originally Posted by XenaneX (Post 4745373)
I have a rather lengthy hosts file and am behind a firewall.

Using /etc/hosts to block ad sites is deprecated. Better methods exist but if you think it is not inefficient, incomplete or easy to circumvent then try answering these questions for yourself.



Quote:

Originally Posted by XenaneX (Post 4745373)
Maybe I am worrying too much.

No need to "think", "worry" or "guess" because computing is binary with respect to testing conditions: something is enabled or it is not, something is secure or it is not. The easiest way to find out if a port is actually open is to run a remote scan against the machine. If you don't have a remote host to work from then there are enough free on-line services that offer you Nmap scans: http://nmap-online.com/, http://www.securityspace.com/smysecure/basic_index.html, etc, etc.


Quote:

Originally Posted by XenaneX (Post 4745373)
I am very appreciative and hope I didn't waste anyone's time.

Asking questions is good. Not asking, that's bad.


All times are GMT -5. The time now is 01:52 PM.