ipfw and bind - betst way to control dns traffic?

[Torfinn Ingolfsen]

Hello,

Now that use of source port 53 is deprecated (like "query-source address
* port 53;"), what is the best way to configure ipfw to allow dns access?
I know I can configyre a static port in the range 49160 to 65530, but I
don't want to do that.
Which means that named will choose a random (high) port.

But if I want to have some control over it (the outgoing traffic from
named) in ipfw, how do I do that?
--
Torfinn Ingolfsen,
Norway

[Michael Sierchio]

The target port will always be 53, so create a dynamic rule for outbound
traffic. You don't need to allow all hosts to use UDP/53, only your
recursive query server.

If you are hosting an authoritative DNS server for outside hosts, keep
it on a separate IP address from your query server.

ext-if is the name of your external interface

my_auth_dns="a.b.c.d/29{x,y}"
my_allowed="a.b.c.d/29{i,j,k,l}"
my_net="a.b.c.d/29"

# check for matching dynamic rules first
ipfw add check-state

# permit external hosts to query our DNS
ipfw add allow udp from any to $my_auth_dns 53 in recv ext-if keep-state

# only need this rule if we ever send large response
ipfw add allow tcp from any to $my_auth_dns 53 in recv ext-if setup keep-state

# deny UDP traffic inbound
ipfw add deny udp from any to $my_net recv ext-if

# permit inside hosts to query outside DNS servers
ipfw add allow udp from $my_allowed to any 53 out xmit ext-if keep-state

[Michael Sierchio]

beware of typos:

> ipfw add deny udp from any to $my_net recv ext-if

ipfw add deny udp from any to $my_net in recv ext-if