I want to set up a public DNS. I am already set up as a registered internet DNS. Besides jailing the latest version of BIND, what else do I need to know about securing my server?

What rule will enable port 53 to be open to the world? I've tried:
$IPTABLES -A INPUT -p udp -i $EXTIF -d $EXTIP --dport 53 -j ACCEPT
for simple queries and
$IPTABLES -A INPUT -p tcp -i $EXTIF -d $EXTIP --dport 53 -j ACCEPT
for zone transfers to no avail.

Thanks in advance.

Regards,
Eric S

BTW: I have 2 boxes - box 1 RH7.3, box 2 RH 8.0 each with 2 NICs.

This is from my firewall script for public dns server.

Thanks for the reply, Randy.

Is "domain" supposed to be replaced with mydomain.com?

I'm not using a domain in my LAN, only for my internet site. I'm using a workgroup.

Regards,
Eric S

"domain" is the name of the service and maps to the reserved port (53) in /etc/services.

Where in the chain were these rules? Anywhere I put it I get "The DNS server reported that it refuses to respond to the query." error when queried via www.dnsstuff.com. Without the rule the querie times out.

Regards,
Eric S

That sounds like a bind configuration issue. Don't know anything about the dnsstuff site, personally I log into a shell account outside my network and use the unix dig command to do outside testing of my name server.

To answer your question, the -A argument places them at the end of the chain. Where exactly they go doesn't matter very much, as long as a rule higher up in the chain does not explicitly deny something you are later trying to accept.

If you can safely do this, you may try disabling the firewall for a short external test and see if the requests are successfully handled.

Thanks Randy.

You are exactly correct on all items. I opened the firewall for a querie and got refused. Hmmm... I have 5 statics so I can test from inside, outside or via dnsstuff.com (the most informative).

I guess I have to take a closer look at BIND. Logs show some errors but reports success:

Nov 17 20:48:19 Utopia named[12596]: starting BIND 9.2.1 -u named
Nov 17 20:48:19 Utopia named[12596]: using 1 CPU
Nov 17 20:48:19 Utopia named[12599]: loading configuration from '/etc/named.conf'
Nov 17 20:48:19 Utopia named[12599]: no IPv6 interfaces found
Nov 17 20:48:19 Utopia named[12599]: listening on IPv4 interface lo, 127.0.0.1#53
Nov 17 20:48:19 Utopia named[12599]: listening on IPv4 interface brg0, 192.168.xx.xx#53
Nov 17 20:48:19 Utopia named[12599]: listening on IPv4 interface eth1, xx.xx.xx.xx#53
Nov 17 20:48:19 Utopia named[12599]: command channel listening on 127.0.0.1#953
Nov 17 20:48:19 Utopia named[12599]: /etc/named.conf:8: unknown logging category 'panic' ignored
Nov 17 20:48:19 Utopia named[12599]: /etc/named.conf:9: unknown logging category 'packet' ignored
Nov 17 20:48:19 Utopia named[12599]: /etc/named.conf:10: unknown logging category 'eventlib' ignored
Nov 17 20:48:19 Utopia named: named startup succeeded

So it looks like it's configured correctly. I'll look closer later. Right now I have to go play Dad.

Regards,
Eric S

Got it! The problem was the firewall rule (thanks Randy) and the "allow-query { none; };" directive in named.conf "none" has to be "any").

Thanks again guys.

Regards,
Eric S