Jor-el wrote: > > Another possibility is to have the port for outgoing connections be > > something > > other than 53 (54 seems unused) and use iptables or ipchains to block data > > from the outside world coming to port 53. [...] > Of course, in the case of DNS servers, you could be OK, since you > do want to lessen the number of folks who use your services (right?). But > in general, I consider this to be poor advice.
That is perfectly true. In fact, restricting access to the (recursive) nameserver should be considered not only in a matter of IP filtering but also in BIND's own configuration (using allow-query and allow-recursion sets). Authoritative name serving is a totally different matter, since you can not predict the source adress. -- Thomas Seyrat.
