I'm tightening up the pf rules on my two coloco'ed machines. One is a master
nameserver, the other a slave. I've searched for a clue re which port(s)
need to be enabled without success - would it be 53? Any others?

All cluesticks gratefully received. I'm fairly sure the answer must be
obvious, yet I've missed it somehow...

Steve
http://www.fivetrees.com

"Steve at fivetrees" <steve@NOSPAMTAfivetrees.com> writes:

> I'm tightening up the pf rules on my two coloco'ed machines. One is a master
> nameserver, the other a slave. I've searched for a clue re which port(s)
> need to be enabled without success - would it be 53? Any others?

you would need port 53 (domain), tcp and udp.

--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"
20:11:56 delilah spamd[26905]: 146.151.48.74: disconnected after 36099 seconds

"Peter N. M. Hansteen" <peter@bgnett.no> wrote in message
news:87r70ydieg.fsf@amidala.datadok.no...
> "Steve at fivetrees" <steve@NOSPAMTAfivetrees.com> writes:
>
>> I'm tightening up the pf rules on my two coloco'ed machines. One is a
>> master
>> nameserver, the other a slave. I've searched for a clue re which port(s)
>> need to be enabled without success - would it be 53? Any others?
>
> you would need port 53 (domain), tcp and udp.

Thanks. Nice to know I was not entirely clueless .

Am I right in thinking that each machine would need to accept this port from
the other? There are cases where the secondary asks the primary, and others
where the primary yells at the secondary, no?

Steve
http://www.fivetrees.com

Steve at fivetrees wrote:
> Am I right in thinking that each machine would need to accept this port from
> the other? There are cases where the secondary asks the primary, and others
> where the primary yells at the secondary, no?

The secondary will query the primary based on the refresh value in the
zone file. It checks to see if a serial number has incremented, and if
it has, it will perform a zone transfer from the primary. From the IP
point of view, you'll need 53 TCP/UDP allowed from the primary to the
secondary, but you'll probably also want to allow it to anyone so they
can do DNS lookups. You can use the DNS server software, itself, to
restrict zone transfers to only allowed secondary and tertiary servers.

This may clear some things up: http://howtoforge.net/traditional_dns_howto

"Seeker" <newsgroups@minusthespam.michaelstarks.com> wrote in message
news:gvFrg.70647$3B.36875@twister.nyroc.rr.com...
> Steve at fivetrees wrote:
>> Am I right in thinking that each machine would need to accept this port
>> from the other? There are cases where the secondary asks the primary, and
>> others where the primary yells at the secondary, no?
>
> The secondary will query the primary based on the refresh value in the
> zone file. It checks to see if a serial number has incremented, and if it
> has, it will perform a zone transfer from the primary. From the IP point
> of view, you'll need 53 TCP/UDP allowed from the primary to the secondary,
> but you'll probably also want to allow it to anyone so they can do DNS
> lookups.

Noted; thanks. (I went through all this when converting from BIND4 to
BIND9 - but I seem to have re-used those braincells since...)

Re open DNS lookups - I've turned off external recursive DNS, as generally
recommended. Is this the same thing? I am running an authorative nameserver
for the domains I host, so clearly this needs to be accessible. But the logs
also show some strange stuff on port 53 such as:

>> Jul 8 10:18:30 ns1 named[26098]: FORMERR resolving 'caadm.com/AAAA/IN':
>> 87.117.196.200#53
Jul 8 10:18:30 ns1 named[26098]: FORMERR resolving 'caadm.com/AAAA/IN':
66.45.225.10#53 <<

Where "caadm.com" is nothing to do with me.

ISTR this has to do with IPV6, but I confess I'm not sure.

> You can use the DNS server software, itself, to restrict zone transfers to
> only allowed secondary and tertiary servers.

Yep, and I do .

> This may clear some things up: http://howtoforge.net/traditional_dns_howto

Nice link - thanks.

Steve
http://www.fivetrees.com

Steve at fivetrees wrote:

> Re open DNS lookups - I've turned off external recursive DNS, as generally
> recommended. Is this the same thing?

Allowing recursive queries allows someone to lookup another domain
through your server, which shouldn't be necessary for the public unless
you're an ISP (although a surprising number of servers are misconfigured
this way).

Allowing zone xfers is something different. If you don't restrict zone
xfers someone can get a lot of information about hosts in your domain.
Some are misconfigured to show non-routable, internal hosts, which
allows for a form of network enumeration.