DNS server behind Router

kdavid · November 6, 2010, 4:51pm

Hello,

we have a DNS server basen on Bind9. From security reasons we want use dns server behind router. Which ports are need to forward from public to private addresses?

I know that DNS servers are working on port 53 UDP sometime TCP but we hare a reverse delegation, too.

Its are used to dns hosting ,too.

Public IP -------------Router---------- DNS Servers with Private address 10.0.0.x/24

Is that a good idea?

fewi · November 6, 2010, 4:53pm

All you need is udp/53 and tcp/53, unless you manually changed the BIND configuration from its defaults (you can define alternative ports for zone transfers, for example).

Your suggested setup should work fine.

kdavid · November 6, 2010, 5:45pm

Thanx fewi!

By defaul i can leave the config for zone transfer ports to 53 tcp udp right?

Can you explai please how is fone tranfer working? I want to make acceslist but i dont know how becouse i donk know the zone transfer directions

fewi · November 6, 2010, 5:55pm

That would best be implemented in BIND and not on the router, unless you can rule out that normal clients will ever use tcp/53 for normal DNS queries (older resolvers at least will use TCP for all replies that are larger than 512 bytes).

kdavid · November 6, 2010, 6:01pm

I know it is the best solution to aply acces list on Bind.

Domain delegation if i understand works like this: DNS server sends changest od new domain information from dns server to main DNS servers. It meand i need only set up the gateway on dns server to aces to internet.

For resolving i need only to create port forwarding on router for port 53 tcp and udp.

If am I right i can simple create a firewall to alowe a specific address rages in chain imput on MK router?

Right?

fewi · November 6, 2010, 6:03pm

The input chain is used for traffic destined to the router. Traffic to a BIND server behind the router isn’t destined to the router, so it will be in the forward chain instead - otherwise, that’s it. If you will only have specific other DNS servers contact this BIND server an address list composed of those other DNS servers would do well with a firewall filter rule limiting traffic to the BIND server.

kdavid · November 9, 2010, 11:10pm

OK,

i applyed this solution and it works very nice.

Can anyone helps me to create a firewall filter rules to prevent dns servers behind router from atackers?