On Mar 15, 2011, at 11:08 AM, Martin McCormick wrote:
> Is there a recommended set of firewall rules that insure that all
> necessary DNS traffic can enter and leave, even the larger
> packets that result from dns-sec?
# allow UDP DNS queries out to the world, and in to your nameservers
## It's faster to do this stateless, and reduces DoS risk against the firewall,
## but you are exposing your network to UDP port scans from source port 53
## (if you have other open UDP ports). If you want to be stateful, switch to:
## add pass udp from any to $NAMESERVER_IP 53 keep-state
## add pass udp from $YOURNET to any 53 keep-state
add pass udp from any to $NAMESERVER_IP 53
add pass udp from $NAMESERVER_IP 53 to any
add pass udp from $YOURNET 53,1024-65535 to any 53
add pass udp from any 53 to $YOURNET 53,1024-65535
# allow TCP DNS outbound and inbound only to nameserver boxes
## Likewise, you can add keep-state if you want to be stateful;
## in which case the established line can be removed.
add pass tcp from any to any established
add pass tcp from $YOURNET to any 53 setup
add pass tcp from any to $NAMESERVER_IP 53 setup
------
For something like a Cisco PIX/ASA, you probably want "no fixup protocol dns"
to avoid breaking EDNS, but "fixup protocol dns maximum-length 4096" might be a
workable alternative.
Regards,
--
-Chuck
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
