[Dshield] Help: DNS (53)

David Hart DavidHart at TQMcube.com
Thu Jan 1 16:10:35 GMT 2004


On Thu, 2004-01-01 at 08:43, Tod D. Ihde wrote:

Thanks. Your reply is extremely helpful!

> Look into DJBDNS, your bandwidth, memory, diskspace, and response times 
> will all improve. (I plug it when I can, I'm a big fan).
> 
That's been a todo for awhile now. It's funny; The Kernel, Apache,
Postfix and other key apps are custom installed from source. When it
comes to DNS, I become an RPM-addicted nitwit because I don't know what
I don't know.

>You need to accept UDP to 53 from any in-bailiwick ( 
> "authoritative") server. For example, f your server is looking up dns 
> info for dshield.org, it must accept UDP packets from dshield.org.
> 
OK. Then there is no applicable (IPTables) firewall rule other than
"Accept" DPT=53?
 >
> Allowing ALL incoming packets FROM udp port 53 means that ANY UDP 
> datagram can get through your firewall, as long as the source port is 
> 53. Probably not what you intended.
> 
That makes abundant sense. Presumably then, I want to limit to DPT >
32000 and < ???? Any suggestions?


                               ---------
            Quality Management - A Commitment to Excellence
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20040101/70d3fa1e/attachment.bin


More information about the list mailing list