netbsd-users: Re: bind (was: Is my ipfilter list secure?)

Subject: Re: bind (was: Is my ipfilter list secure?)
To: Roger Fischer <roger@aileron.org>
From: Steven M. Bellovin <smb@research.att.com>
List: netbsd-users
Date: 04/26/2002 15:20:39

In message <Pine.LNX.4.33.0204261206200.17903-100000@pete.fisch.net>, Roger Fis
cher writes:
>
>On Fri, 26 Apr 2002, Jeremy C. Reed wrote:
>
>> > 	BIND server (for internal net)
>>
>> Only have named listen to internal interface.
>
>If I do that, will named still have access to the outside for lookups?
>Is this done in named or is it an ipf rule that only allows connections to
>port 53 from the internal if (or both).
>


I'm not sure about bind 8, but with bind 9, the query port is *not* 53. 
I use the following on my laptop:

options {
        directory "/etc/namedb";
        listen-on { 127.0.0.1; 172.16.212.1; };
        query-source port 60000;
        allow-query { 127.0.0.1; 172.16.212.0/24; };
};

(The 172.16 stuff is how to set it up on a gateway machine.)

		--Steve Bellovin, http://www.research.att.com/~smb
		Full text of "Firewalls" book now at http://www.wilyhacker.com