niXforums Forum Index
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   PreferencesPreferences   Log in to check your private messagesLog in to check your private messages   Log inLog in 
·  nixdoc.net ·  man pages ·  Linux HOWTOs ·  FreeBSD Tips ·  Forums
navigation Forum index » *nix » BSD » OpenBSD
DNS zone transfers - which port?
Post new topic   Reply to topic Page 1 of 1 [6 Posts] View previous topic :: View next topic
Author Message
Seeker
*nix forums beginner


Joined: 21 Nov 2005
Posts: 21

PostPosted: Mon Jul 10, 2006 3:49 am    Post subject: Re: DNS zone transfers - which port? Reply with quote
Steve at fivetrees wrote:

Quote:
Re open DNS lookups - I've turned off external recursive DNS, as generally
recommended. Is this the same thing?

Allowing recursive queries allows someone to lookup another domain
through your server, which shouldn't be necessary for the public unless
you're an ISP (although a surprising number of servers are misconfigured
this way).

Allowing zone xfers is something different. If you don't restrict zone
xfers someone can get a lot of information about hosts in your domain.
Some are misconfigured to show non-routable, internal hosts, which
allows for a form of network enumeration.
Back to top
Steve at fivetrees
*nix forums addict


Joined: 21 May 2005
Posts: 82

PostPosted: Sat Jul 08, 2006 11:01 am    Post subject: Re: DNS zone transfers - which port? Reply with quote
"Seeker" <newsgroups@minusthespam.michaelstarks.com> wrote in message
news:gvFrg.70647$3B.36875@twister.nyroc.rr.com...
Quote:
Steve at fivetrees wrote:
Am I right in thinking that each machine would need to accept this port
from the other? There are cases where the secondary asks the primary, and
others where the primary yells at the secondary, no?

The secondary will query the primary based on the refresh value in the
zone file. It checks to see if a serial number has incremented, and if it
has, it will perform a zone transfer from the primary. From the IP point
of view, you'll need 53 TCP/UDP allowed from the primary to the secondary,
but you'll probably also want to allow it to anyone so they can do DNS
lookups.

Noted; thanks. (I went through all this when converting from BIND4 to
BIND9 - but I seem to have re-used those braincells since...)

Re open DNS lookups - I've turned off external recursive DNS, as generally
recommended. Is this the same thing? I am running an authorative nameserver
for the domains I host, so clearly this needs to be accessible. But the logs
also show some strange stuff on port 53 such as:

Quote:
Jul 8 10:18:30 ns1 named[26098]: FORMERR resolving 'caadm.com/AAAA/IN':
87.117.196.200#53
Jul 8 10:18:30 ns1 named[26098]: FORMERR resolving 'caadm.com/AAAA/IN':

66.45.225.10#53 <<

Where "caadm.com" is nothing to do with me.

ISTR this has to do with IPV6, but I confess I'm not sure.

Quote:
You can use the DNS server software, itself, to restrict zone transfers to
only allowed secondary and tertiary servers.

Yep, and I do Wink.

Quote:
This may clear some things up: http://howtoforge.net/traditional_dns_howto

Nice link - thanks.

Steve
http://www.fivetrees.com
Back to top
Seeker
*nix forums beginner


Joined: 21 Nov 2005
Posts: 21

PostPosted: Sat Jul 08, 2006 3:19 am    Post subject: Re: DNS zone transfers - which port? Reply with quote
Steve at fivetrees wrote:
Quote:
Am I right in thinking that each machine would need to accept this port from
the other? There are cases where the secondary asks the primary, and others
where the primary yells at the secondary, no?

The secondary will query the primary based on the refresh value in the
zone file. It checks to see if a serial number has incremented, and if
it has, it will perform a zone transfer from the primary. From the IP
point of view, you'll need 53 TCP/UDP allowed from the primary to the
secondary, but you'll probably also want to allow it to anyone so they
can do DNS lookups. You can use the DNS server software, itself, to
restrict zone transfers to only allowed secondary and tertiary servers.

This may clear some things up: http://howtoforge.net/traditional_dns_howto
Back to top
Steve at fivetrees
*nix forums addict


Joined: 21 May 2005
Posts: 82

PostPosted: Thu Jul 06, 2006 1:33 pm    Post subject: Re: DNS zone transfers - which port? Reply with quote
"Peter N. M. Hansteen" <peter@bgnett.no> wrote in message
news:87r70ydieg.fsf@amidala.datadok.no...
Quote:
"Steve at fivetrees" <steve@NOSPAMTAfivetrees.com> writes:

I'm tightening up the pf rules on my two coloco'ed machines. One is a
master
nameserver, the other a slave. I've searched for a clue re which port(s)
need to be enabled without success - would it be 53? Any others?

you would need port 53 (domain), tcp and udp.

Thanks. Nice to know I was not entirely clueless Wink.

Am I right in thinking that each machine would need to accept this port from
the other? There are cases where the secondary asks the primary, and others
where the primary yells at the secondary, no?

Steve
http://www.fivetrees.com
Back to top
Peter N. M. Hansteen
*nix forums addict


Joined: 19 Feb 2005
Posts: 86

PostPosted: Thu Jul 06, 2006 12:31 pm    Post subject: Re: DNS zone transfers - which port? Reply with quote
"Steve at fivetrees" <steve@NOSPAMTAfivetrees.com> writes:

Quote:
I'm tightening up the pf rules on my two coloco'ed machines. One is a master
nameserver, the other a slave. I've searched for a clue re which port(s)
need to be enabled without success - would it be 53? Any others?

you would need port 53 (domain), tcp and udp.

--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"
20:11:56 delilah spamd[26905]: 146.151.48.74: disconnected after 36099 seconds
Back to top
Steve at fivetrees
*nix forums addict


Joined: 21 May 2005
Posts: 82

PostPosted: Thu Jul 06, 2006 12:26 pm    Post subject: DNS zone transfers - which port? Reply with quote
I'm tightening up the pf rules on my two coloco'ed machines. One is a master
nameserver, the other a slave. I've searched for a clue re which port(s)
need to be enabled without success - would it be 53? Any others?

All cluesticks gratefully received. I'm fairly sure the answer must be
obvious, yet I've missed it somehow...

Steve
http://www.fivetrees.com
Back to top
Google
Back to top
Display posts from previous:   
Post new topic   Reply to topic Page 1 of 1 [6 Posts] View previous topic :: View next topic
The time now is Sat Nov 22, 2008 7:53 am | All times are GMT
navigation Forum index » *nix » BSD » OpenBSD
Jump to:  

Similar Topics
Topic Author Forum Replies Last Post
No new posts changing port in vsftp henk@oegema.com Suse 2 Fri Jul 21, 2006 10:42 am
No new posts does squid 2.6 support setting cache_peer port in redirec... Victor Tsang Squid 0 Fri Jul 21, 2006 8:16 am
No new posts linux port on ARM core based board. noor.fatma@gmail.com embedded 1 Wed Jul 19, 2006 6:27 am
No new posts making the proxy and/or rewrite mods respond to a particu... Mike Soultanian Apache 1 Tue Jul 18, 2006 9:46 pm
No new posts log failed attempts to a port number jayce AIX 2 Tue Jul 18, 2006 9:15 pm

Advertising | Jorge Bucay | Debt Consolidation | Cheap Loan | Loans
Copyright © 2004-2005 DeniX Solutions SRL
 
Other DeniX Solutions sites: Unix/Linux blog |  electronics forum |  medicine forum |  science forum | 
Privacy Policy


Powered by phpBB © 2001, 2005 phpBB Group

[ Time: 0.2701s ][ Queries: 20 (0.1786s) ][ GZIP on - Debug on ]