Strategy For Bind9

[sonoracomm]

Hi,

I recently put up a new DNS server using 'bind9' and installed CSF.

I prefer to filter outgoing traffic, as much as possible, as well as incoming.

In the past, I allowed port 53 TCP and UDP in both incoming and outgoing directions with TCP_IN, TCP_OUT, UDP_IN and UDP_OUT.

However, apparently, by default and for security reasons, Bind9 uses random source ports for outside lookups. This can apparently be modified with a named.conf configuration option like:

Code: Select all

query-source address * port 53;

which is what I'm doing for the moment, but it logs this at startup:

Code: Select all

using specific query-source port suppresses port randomization and can be insecure

Does anyone have any suggestions to me for running Bind9 with CSF?

Thanks in advance,

G

[Black Tiger]

We're running Bind 9.8.2 with CSF but don't even use that query-source address line in the named.conf and still everything is working.
Bind 9 does uses random (high) source ports to query other nameservers.
Why should you want your server to query other nameservers when it can query it's own local nameserver for lookups?
That's the way we are doing it. It's doing that automatically.

[sonoracomm]

On our servers, we also filter outbound traffic so the "random (high) source ports" are blocked. We only allow specific (minimal) outbound traffic to limit what a compromised server can do.

I also found this comment in csf.conf, which sounds somewhat pertinent:

Code: Select all

# If you allow incoming DNS lookups you may need to use the following
# directive in the options{} section of your named.conf:
#
#        query-source port 53;
#
# This will force incoming DNS traffic only through port 53

Evidently, this is also well known in the Bind world and I just have to use the Bind9 configuration option:

Code: Select all

query-source address * port 53;

Thanks,

G