Re: Best way for one-way DNS traffic
From: Geoffrey T. Falk (gtf@cirp.org)
Date: 02/22/01
- Next message: Bruce A. Mah: "Re: Sudo version 1.6.3p6 now available (fwd)"
- Previous message: H. Wade Minter: "[OOPS] Re: Best way for one-way DNS traffic"
- In reply to: H. Wade Minter: "Best way for one-way DNS traffic"
- Next in thread: Timothy S. Bowers: "Re: Best way for one-way DNS traffic"
- Reply: Timothy S. Bowers: "Re: Best way for one-way DNS traffic"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 22 Feb 2001 12:07:01 -0700 (MST) From: "Geoffrey T. Falk" <gtf@cirp.org> To: "H. Wade Minter" <minter@lunenburg.org>
On 22 Feb, H. Wade Minter wrote:
> My gateway box is running a name server for my home network. Internal
> clients point to the gateway box for DNS service, and the gateway goes out
> and resolves DNS queries.
>
> I've also got an ipfw firewall on the gateway. What I'd like to do is
> make it so internal DNS works like it should, but nobody on the outside
> should be able to connect to port 53.sadm@unired.net.pe
Set up your DNS as a forwarder to your upstream provider's nameserver.
Block all inbound traffic on UDP port 53, except from your ISP's
nameserver. Set up your local zone files also.
This still leaves you open to DoS from someone forging your upstream
provider's IP address. But by blocking source routed packets you can
ensure that nobody else can query your nameserver.
g.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Bruce A. Mah: "Re: Sudo version 1.6.3p6 now available (fwd)"
- Previous message: H. Wade Minter: "[OOPS] Re: Best way for one-way DNS traffic"
- In reply to: H. Wade Minter: "Best way for one-way DNS traffic"
- Next in thread: Timothy S. Bowers: "Re: Best way for one-way DNS traffic"
- Reply: Timothy S. Bowers: "Re: Best way for one-way DNS traffic"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
