Trying to read named.conf forwarders info in bash script.
I am trying to read forwarders from my named.conf file
for use in an iptables script. I was wondering if anyone knows an easier way to get this information, This is what I am using now: # grep -A 10 forwarders /etc/named.conf | grep -m 1 -B 10 \} | tr -d [:alpha:]\;\{\} It outputs the ips with two blank lines. I don't know how to trim off the blank lines and the whitespace without calling yet another program. It seems there should be an easier way to get then since they between {} brackets in a structure: Code:
forwarders{ |
Are your forwarders going to change so often that you need a script for you firewall? Couldn't you open that port for outgoing packets that originate locally anyway?
|
Well my aims are to
When running BIND: 1.) Allow my network to query BIND (my 127.0.0.1 rules are loaded elsewhere) 2.) Allow my BIND to query only forwarders To do this my resolv.conf reads only 127.0.0.1, nameservers can be commented out with #. I pull forwarders from named.conf. When not running BIND: 1) Allow forwarding of traffic directly to nameservers. 2) Allow server to query nameserver directly, instead of through bind. To do this I uncomment or add nameservers to resolv.conf. Rename my named.conf or delete fowarders from it. This make my firewall reconfigure itself when I mess with BIND configuration. It also allows for very specific rules on port 53. |
Alright, it makes more sense to me now but it still seems like the long way around. I see no reason to restrict any traffic destined for port 53 that originates locally or on your internal network. Why can't you open up 53 to all outgoing traffic and set resolv.conf with your bind server listed first and your forwarders 2nd and 3rd. If you are running bind your clients will check your machine first whether you are answering queries or fowarding. If bind is not running they will simply look to your alternate servers.
I am always a little leary of scripts that change firewall rules as if you cant tell :-) |
I want my firewall to allow only very specific dns traffic
The only dns traffic I allow is queries from the local network to the server running the firewall, and queries from the server to the external ISP forwarders. This keeps me from leaving 53 open to outside issues, and allows me to drop and log queries attempting to go to dns servers not in my named.conf or resolv.conf. Basically it help keeps me from being queried, and me from querying unknown nameservers unless I specifically decide to. I'm still learning the ins and outs of BIND, and think a strong dns ruleset may provide some protection against a misconfiguration. |
All times are GMT -5. The time now is 06:18 PM. |