[plug] Named
Luke Dudney
plug at goa-trance.org
Thu Feb 21 11:07:45 WST 2002
You're not permitting the response to come back in again.
DNS requests go out with a high (>1024) source port and have a
destination of port 53.
The responses come back in with a source port of 53 and the
corresponding high port used to make the request.
If you were using iptables, you could do this with the state module to
enable to kernel to realise that it is a response and that it should be
let through.
With ipchains, you'd do something like this:
ipchains -A output -p tcp -s 0/0 -d 0/0 53 -j ACCEPT
ipchains -A output -p udp -s 0/0 -d 0/0 53 -j ACCEPT
ipchains -A input -p tcp -s 0/0 53 -d 0/0 1024:65535 -j ACCEPT
ipchains -A input -p udp -s 0/0 53 -d 0/0 1024:65535 -j ACCEPT
The port range on the input chain here prevents someone from
portscanning your service (low) ports with a source port of 53.
Cheers
Luke
Jonathon Bates wrote:
>It seems to be a firewall problem.
>When i flush the rules it works no problems.....
>But when i start the firewall it doesnt run. Im explictly allowing dns:
># DNS (53)
>ipchains -A input -p tcp -s 0/0 -d 0/0 53 -j ACCEPT
>ipchains -A input -p udp -s 0/0 -d 0/0 53 -j ACCEPT
>echo -n ".."
>
># DNS (53)
>ipchains -A output -p tcp -s 0/0 -d 0/0 53 -j ACCEPT
>ipchains -A output -p udp -s 0/0 -d 0/0 53 -j ACCEPT
>echo -n ".."
>
>Would taht be correct?
>
>Cheers
>batesy
>
>>>Heya guys,
>>>Im running a local DNS server on my home network. Now named when i run a
>>>status command tells me that it aint loading its config (apparantly thats
>>>nothing to worry about).
>>>And then when I try to ping domain names they dont resolve. I have
>>>/etc/resolv.conf set to:
>>>search www.batesy.net
>>>
>>This needs to be batesy.net
>>
>>>nameserver 192.168.0.1
>>>
>>>And it doesnt resolve. Does anyone have any ideas?
>>>
>>>Cheers
>>>Batesy
>>>
>>>
>>
>
More information about the plug
mailing list