Re: DNS server behind a firewall
muxaul_at_lenta.ru
Date: 12/17/04
- Next message: Chris Ott: "Re: Long passwords with Telnet"
- Previous message: chris-usenet_at_roaima.co.uk: "Re: Long passwords with Telnet"
- In reply to: Bruno Wolff III: "Re: DNS server behind a firewall"
- Next in thread: Tim Haynes: "Re: DNS server behind a firewall"
- Reply: Tim Haynes: "Re: DNS server behind a firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 17 Dec 2004 07:16:54 -0800
Thanks a lot for the replies!
Typical records in syslog look this way (udp, 53<->53):
kernel: IN=eth0 OUT=eth1 SRC=194.67.81.64 DST=MY_SERVER LEN=72
TOS=0x00 PREC=0x00 TTL=61 ID=2665 PROTO=UDP SPT=53 DPT=53 LEN=52
or this way (tcp):
kernel: IN=eth0 OUT=eth1 SRC=194.67.160.3 DST=MY_SERVER LEN=44
TOS=0x00 PREC=0x00 TTL=59 ID=48041 DF PROTO=TCP SPT=58162 DPT=53
WINDOW=65535 RES=0x00 SYN URGP=0
The rules I described in the first posting permit
these types of connections to a few trusted DNS servers only.
Thus my question can be put this way: is it necessary to ACCEPT
such connections from all possible hosts/DNS servers in the world
or does it suffice to ACCEPT them from a couple of trusted
upper level DNS servers? Actually, once I have called to the
maintainers of a DNS server that was trying to establish TCP connects
with our server and asked them _why_. They did _not_ give me a
definite answer. Still the majority of connection attempts are
of type udp, port 53<->53.
Regards,
Mikhail
- Next message: Chris Ott: "Re: Long passwords with Telnet"
- Previous message: chris-usenet_at_roaima.co.uk: "Re: Long passwords with Telnet"
- In reply to: Bruno Wolff III: "Re: DNS server behind a firewall"
- Next in thread: Tim Haynes: "Re: DNS server behind a firewall"
- Reply: Tim Haynes: "Re: DNS server behind a firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
