Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Debian, Red Hat, Slackware, Fedora, Ubuntu
Posts: 13,600
Rep:
You do NOT need to run BIND (or any DNS server) to get DNS to work. You only need a DNS server if you are authoratative for a zone and want to have full control over the server.
If you use netfilter (dunno about ipchains) and you want to allow incoming trafic on port 53, but not let people connect to it, use the following rule:
iptables -i <your ext interface> -s <address of dns server> -d <your ext ip addr> -p udp --sport 53 --dport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -i <your ext interface> -s <address of dns server> -d <your ext ip addr> -p udp --sport 53 --dport 53 -m state --state NEW -j DROP
This will allow all but NEW connections to port 53. What happens is: Your resolver makes a NEW connection to your DNS server, which then responds. Because the response of the DNS server is not a new connection (state ESTABLISHED,RELATED), it is allowed in. If the server tries to make a connection to your box (state NEW) it will be silently dropped
You have 2 options.
1) you want to access yours ISP's DNS server as configured in your /etc/resolve.conf file or
2) You want to run your own Domain that you have authoritative zone control on.
If it's (1) then you shouldn't have port 53 open on your server, named daemon is running. kill it by looking in /erc/rc.d/rcx.d directories for it's Startup script ID.
You do need a firewall to allow your ISP's DNS connection resolve back to you.
UDP and TCP both needed for DNS.
As r3b00t gave you an iptables example for 7.1, if your using 7.0 then in ipchains you'll want:
I will try to implement what all of you have given me, but one last quesiton. It sounds to me like everyone is saying that unless I am running a server, and all I do is surf the web and pull email from my cable speed company that I dont need BIND at all. Is this true? If not, then how do I shut down that service at boot time?
This is true, you don't need a dns server to surf etc... Look for either something like "named", "bind" or the like in (depending on your distro) /etc/rc*.d... Remove these symlinks, and bind will not start after a reboot...
If you are running Redhat or another SysV based distribution, you should be able to go into /etc/rc.d/rc3.d and find something like 'S45named'. This is a link to a script in /etc/init.d. Instead of removing the link, what you might consider is simply changing the 'S' at the beginning of the name to a lower case 's'. This way, if you want it later for testing or playing, you can just rename it again, plus, it's a good thing to do for newbies 'cos you might need to trace your steps back later. Easier to do it that way than to remove it and forget it was ever there.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.