Can anyone tell me how to close up port 53, or how to close ports gernerally. I am new to Linux networking systems, so please be specific.

To close a port you need to shutdown the program that is using the port. IN the case of port 53 you need to stop the name server (probably BIND).

Or use netfilter (2.4) or ipchains (2.2) to close the port, although I don't see why you need to close port 53. You want dns to work right???

I do want DNS to work, but at the same time port 53 seems to have several vulnerabilities.

Is there a way to block all activity that would require running a script or pogram without a users permission?

You do NOT need to run BIND (or any DNS server) to get DNS to work. You only need a DNS server if you are authoratative for a zone and want to have full control over the server.

True.

If you use netfilter (dunno about ipchains) and you want to allow incoming trafic on port 53, but not let people connect to it, use the following rule:

iptables -i <your ext interface> -s <address of dns server> -d <your ext ip addr> -p udp --sport 53 --dport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -i <your ext interface> -s <address of dns server> -d <your ext ip addr> -p udp --sport 53 --dport 53 -m state --state NEW -j DROP

This will allow all but NEW connections to port 53. What happens is: Your resolver makes a NEW connection to your DNS server, which then responds. Because the response of the DNS server is not a new connection (state ESTABLISHED,RELATED), it is allowed in. If the server tries to make a connection to your box (state NEW) it will be silently dropped

Shadowhacker,

You have 2 options.
1) you want to access yours ISP's DNS server as configured in your /etc/resolve.conf file or
2) You want to run your own Domain that you have authoritative zone control on.

If it's (1) then you shouldn't have port 53 open on your server, named daemon is running. kill it by looking in /erc/rc.d/rcx.d directories for it's Startup script ID.
You do need a firewall to allow your ISP's DNS connection resolve back to you.
UDP and TCP both needed for DNS.

As r3b00t gave you an iptables example for 7.1, if your using 7.0 then in ipchains you'll want:

ipchains -A output -p tcp -s youripaddress 1023:65535 --dport 53 -j ACCEPT
ipchains -A input -p tcp ! -y -s yourdnsipaddress --sport 53 -d 212.38.186.134 1023:65535 -j ACCEPT
ipchains -A output -p udp -s youripaddress 1023:65535 --dport 53 -d 0/0 -j ACCEPT
ipchains -A input -p udp -s yourdnsipaddress --sport 53 -d 212.38.186.134 1023:65535 -j ACCEPT

The sync flag is only allowed on incoming DNS connections from your ISP only, so someone can't spoof them without you asking for a request first.

If the answer is (2) then you'll need to keep BIND patched and up-to-date to stop people exploiting your system.

/Raz

I will try to implement what all of you have given me, but one last quesiton. It sounds to me like everyone is saying that unless I am running a server, and all I do is surf the web and pull email from my cable speed company that I dont need BIND at all. Is this true? If not, then how do I shut down that service at boot time?

This is true, you don't need a dns server to surf etc... Look for either something like "named", "bind" or the like in (depending on your distro) /etc/rc*.d... Remove these symlinks, and bind will not start after a reboot...

If you are running Redhat or another SysV based distribution, you should be able to go into /etc/rc.d/rc3.d and find something like 'S45named'. This is a link to a script in /etc/init.d. Instead of removing the link, what you might consider is simply changing the 'S' at the beginning of the name to a lower case 's'. This way, if you want it later for testing or playing, you can just rename it again, plus, it's a good thing to do for newbies 'cos you might need to trace your steps back later. Easier to do it that way than to remove it and forget it was ever there.

Just a tip.