Blocking DNS addresses from general use

Mike Sheldon msheldon@desertraven.com
Tue, 21 Mar 2000 09:56:20 -0700 

You don't need both.

If you're looking to keep a particular interface from being queried, I would
use the IP Chains approach, or use the listen-on directive in the global
settings of named.conf to force BIND to listen only on specific IP
addresses.

Actually, in this case, I might do both. There's no point in having BIND
listen on an address it should never receive queries on. And, you probably
don't want DNS queries even making it that far from the outside, hence the
use of IP Chains.

Use of listen-on:

If your machine has addresses at 192.168.100.1, 192.168.101.1 and
24.1.45.78, and you wanted to restrict BIND from answering on the public
interface:

options {
  listen-on { 192.168.100.1; 192.168.101.1; };
};


Michael J. Sheldon
Internet Applications Developer
Phone: 480.699.1084
http://www.desertraven.com/
PGP Key Available on Request

-----Original Message-----
From: plug-discuss-admin@lists.PLUG.phoenix.az.us
[mailto:plug-discuss-admin@lists.PLUG.phoenix.az.us]On Behalf Of Stephen
Smith
Sent: Tuesday, March 21, 2000 09:45
To: plug-discuss@lists.PLUG.phoenix.az.us; der.hans
Subject: Re: Blocking DNS addresses from general use


Ok, why would I want to block using both IP Chains and at the DNS query
level?  What
I have is a server that has a public IP address that I don't want to server
the
general public.

Stephen

>
> On Mon, 20 Mar 2000, Stephen Smith wrote:
>
> > I want to accept DNS server use from a range of IP addresses.  How do I
do that?
> >
> > I tried using IPChains - accepting from certain subnets and denying
everyone else.
> > But that blocked the lookups from the other servers.
>
> # Undefine LOCALNET if there is no network card
> LOCALNET=10.1.1.0
> INTIP=10.1.1.96
> EXTIP=192.168.1.90
>
> # Find out what nameservers we use
> NAMESERVERS=`awk '($1 ~ "nameserver") {print $2}' < /etc/resolv.conf`
>
> if [ -z "$NAMESERVERS" ]
> then
>         ipchains -A ext-in -j ACCEPT -p TCP -d 0/0 53
>         ipchains -A ext-in -j ACCEPT -p UDP -d 0/0 53
> else
>  for NAMESERVER in ${NAMESERVERS} ; do
>         ipchains -A ext-in -j ACCEPT -p TCP -s $NAMESERVER -d $EXTIP 53
>         ipchains -A ext-in -j ACCEPT -p UDP -s $NAMESERVER -d $EXTIP 53
>  done
> fi
>
> # for internal use of dns services
> ipchains -A int-in -j ACCEPT -p TCP -s $LOCALNET/24 -d $INTIP 53
> ipchains -A int-in -j ACCEPT -p UDP -s $LOCALNET/24 -d $INTIP 53
>
> # ext-in is the input chain for the external interface
> # int-in is the input chain for the internal interface
>
> Don't forget the dns stuff that Mike suggested as well.
>
> If you throw a "-l" on the end of all of the above ipchains commands you
> should see ACCEPTs in the logs when queries are made. Also don't forget
> that dns queries to port 53 in both TCP and UDP from either above 1023 or
> from port 53.
>
> ciao,
>
> der.hans
> --
> # +++++++++++=================================+++++++++++ #
> #  der.hans@LuftHans.com                  www.excelco.com #
> #            http://home.pages.de/~lufthans/              #
> #   I'm not anti-social, I'm pro-individual. - der.hans   #
> # ===========+++++++++++++++++++++++++++++++++=========== #
>
> _______________________________________________
> Plug-discuss mailing list  -  Plug-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

_______________________________________________
Plug-discuss mailing list  -  Plug-discuss@lists.PLUG.phoenix.az.us
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss