BIND and iptables 1

[nix45]

I haven't gotten around to learning iptables yet, so I need some help on writing some rules to allow DNS queries to pass through the firewall. I'm running BIND 9.1.3 and iptables 1.2.3 on a Red Hat 7.2 box. I thought that you only needed to allow tcp port 53 through, but I've been reading that you also need to allow some other ports through for queries. This is the only rule that I've written for BIND so far…

/sbin/iptables -A INPUT -i eth0 -s 0/0 -d 0/0 -p tcp --dport 53 -j ACCEPT

Thanks for your help.

 

[marsd]

Depends on what you want to do.
I don't allow tcp from untrusted hosts into
nameservers I've configured. The only purpose
tcp namequeries serve are zonetransfers, and
possibly large query responses. Internet hosts
don't need all this info.

#Allow untrusted hosts standard udp queries.
#Allow trusted guys zone xfer and all the perks.
iptables -P INPUT DROP
iptables -A INPUT -s 0/0 -d $nameserver -p udp --dport 53 -j ACCEPT
iptables -A INPUT -s $trusted -d $nameserver -p tcp --dport 53 -j ACCEPT
...other rules

Bind also has much better security(tls)available now
and the ability to filter most BIND features including
recursion, query acls, axfr acls,bound interfaces, etc..
and it's good to have more than one layer of defense,
since dns is historically a highly vulnerable service,
and bind has a troubled history.

My .02

 

[nix45]

Thanks marsd, it worked. I'm actually not that worried about BIND security holes because I'm running a LIDS-enabled kernel on this server. I have 95% of the filesytem marked as read-only or deny, and then I wrote ACL's to allow each daemon to work.

Chris