Hello,

we have a DNS server basen on Bind9. From security reasons we want use dns server behind router. Which ports are need to forward from public to private addresses?

I know that DNS servers are working on port 53 UDP sometime TCP but we hare a reverse delegation, too.

Its are used to dns hosting ,too.


Public IP -------------Router---------- DNS Servers with Private address 10.0.0.x/24


Is that a good idea?

All you need is udp/53 and tcp/53, unless you manually changed the BIND configuration from its defaults (you can define alternative ports for zone transfers, for example).

Your suggested setup should work fine.

All you need is udp/53 and tcp/53, unless you manually changed the BIND configuration from its defaults (you can define alternative ports for zone transfers, for example).

Your suggested setup should work fine.

Thanx fewi!

By defaul i can leave the config for zone transfer ports to 53 tcp udp right?

Can you explai please how is fone tranfer working? I want to make acceslist but i dont know how becouse i donk know the zone transfer directions

That would best be implemented in BIND and not on the router, unless you can rule out that normal clients will ever use tcp/53 for normal DNS queries (older resolvers at least will use TCP for all replies that are larger than 512 bytes).

That would best be implemented in BIND and not on the router, unless you can rule out that normal clients will ever use tcp/53 for normal DNS queries (older resolvers at least will use TCP for all replies that are larger than 512 bytes).

I know it is the best solution to aply acces list on Bind.

Domain delegation if i understand works like this: DNS server sends changest od new domain information from dns server to main DNS servers. It meand i need only set up the gateway on dns server to aces to internet.


For resolving i need only to create port forwarding on router for port 53 tcp and udp.

If am I right i can simple create a firewall to alowe a specific address rages in chain imput on MK router?

Right?

The input chain is used for traffic destined to the router. Traffic to a BIND server behind the router isn't destined to the router, so it will be in the forward chain instead - otherwise, that's it. If you will only have specific other DNS servers contact this BIND server an address list composed of those other DNS servers would do well with a firewall filter rule limiting traffic to the BIND server.

OK,

i applyed this solution and it works very nice.

Can anyone helps me to create a firewall filter rules to prevent dns servers behind router from atackers?