[plug] Named

[Luke Dudney]

You're not permitting the response to come back in again.
DNS requests go out with a high (>1024) source port and have a 
destination of port 53.
The responses come back in with a source port of 53 and the 
corresponding high port used to make the request.

If you were using iptables, you could do this with the state module to 
enable to kernel to realise that it is a response and that it should be 
let through.

With ipchains, you'd do something like this:

ipchains -A output -p tcp -s 0/0 -d 0/0 53 -j ACCEPT
ipchains -A output -p udp -s 0/0 -d 0/0 53 -j ACCEPT

ipchains -A input -p tcp -s 0/0 53 -d 0/0 1024:65535 -j ACCEPT
ipchains -A input -p udp -s 0/0 53 -d 0/0 1024:65535 -j ACCEPT

The port range on the input chain here prevents someone from 
portscanning your service (low) ports with a source port of 53.

Cheers
Luke

Jonathon Bates wrote:

>It seems to be a firewall problem.
>When i flush the rules it works no problems.....
>But when i start the firewall it doesnt run. Im explictly allowing dns:
># DNS (53)
>ipchains -A input -p tcp -s 0/0 -d 0/0 53 -j ACCEPT
>ipchains -A input -p udp -s 0/0 -d 0/0 53 -j ACCEPT
>echo -n ".."
>
># DNS (53)
>ipchains -A output -p tcp -s 0/0 -d 0/0 53 -j ACCEPT
>ipchains -A output -p udp -s 0/0 -d 0/0 53 -j ACCEPT
>echo -n ".."
>
>Would taht be correct?
>
>Cheers
>batesy
>
>>>Heya guys,
>>>Im running a local DNS server on my home network. Now named when i run a
>>>status command tells me that it aint loading its config (apparantly thats
>>>nothing to worry about).
>>>And then when I try to ping domain names they dont resolve. I have
>>>/etc/resolv.conf set to:
>>>search www.batesy.net
>>>
>>This needs to be batesy.net
>>
>>>nameserver 192.168.0.1
>>>
>>>And it doesnt resolve. Does anyone have any ideas?
>>>
>>>Cheers
>>>Batesy
>>>
>>>
>>
>