[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: caching dns lookups
- To: <linux-il(at-nospam)linux.org.il>
- Subject: Re: caching dns lookups
- From: Dani Arbel <darbel(at-nospam)techunix.technion.ac.il>
- Date: Thu, 30 Aug 2001 11:30:38 +0300 (IDT)
- Delivered-To: linux.org.il-linux-il@linux.org.il
- In-Reply-To: <3B8DD041.B33F75DB@tromer.org>
- Sender: linux-il-bounce(at-nospam)cs.huji.ac.il
Welll ....
On Thu, 30 Aug 2001, Eran Tromer wrote:
> Nadav Har'El wrote:
>
> > Lastly, Dan, are you sure you really want to use a DNS cache? What was the
> > reason you decided you wanted one?
> > In most cases a DNS cache is not useful to "ordinary" modem users. Why?
> [snip]
>
>
> Security: if programs on your box query the ISP's DNS directly, they'll
> do so from arbitrary (user) ports. In your packet filter you'll need to
> allow incoming UDP packets and incoming TCP connections from port 53 of
Thats where IPtables comes in and adds the stateful inspection. all ports
(above and under 1023 ) are closed unless specificaly opened (for
supplying services) or for an expected incoming packets belonging to a
stream initiated by a trusted machine.
> your ISP's DNS to *any* port on
your box. Worse yet, if you have a
> firewalled LAN you need to forward all such packets/connections for any
> box on the LAN. Major security issue (what if someone cracks your ISP's
> DNS or spoofs it?). Connection tracking helps a bit, but is far from
> perfect (esp. for UDP replies, since there is no explicit connection
> close, so the "connection" is considered established long after the DNS
> query was finished).
>
> With a properly configured caching nameserver on your firewall, you just
> need to allow packets/connections from port 53 of the ISP's DNS to port
> 53 of your box. If you're in LAN settings there's also the obvious
no... close port 53 to packets from the Internet. Make your caching DNS
use high port for its requests. You give dns services to your internal LAN
only.
> administration advantage.
>
> In case I'm getting this wrong, well, so are the authors of every
> firewall setup I've checked...
>
> Regards,
> Eran Tromer
>
> =================================================================
> To unsubscribe, send mail to linux-il-request@linux.org.il with
> the word "unsubscribe" in the message body, e.g., run the command
> echo unsubscribe | mail linux-il-request@linux.org.il
>
=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il