[BlueOnyx:13901] Re: Blueonyx Digest, Vol 58, Issue 30
Stephanie Sullivan
ses at aviaweb.com
Wed Oct 23 09:16:17 -05 2013
Gen,
This is much more interesting than you might realize. The big answer is: it
depends.
In the typical BX setup each server is a DNS master for the domains of the
sites it hosts. This is how the per-site dns management works. Back in the
good old RaQ3/4 days we set our design to use dedicated servers for DNS.
Since we were making all the changes we just setup two servers to be master
and slave to all the zones.
If you do NOT run DNS servers on your BX server then no special rules.
If you do run a DNS server on your BX box I open TCP and UDP incoming to
port 53. I don't use IPTables based "recent" limiting on DNS like wcstaff
suggests but it's not too bad of an idea. I do use it on other services like
ssh, ftp, pop and imap. The recent module needs to be cleared out every once
in a while or it can result in inaccurate blocking (in my experience). But
it can be VERY
useful.
I just open up UDP and TCP incoming to port 53. Most DNS access that isn't
zone transfer should happen through udp.
By all means - turn OFF recursion except for your own servers. You almost
certainly don't need to resolve zones off your server except for requests
from your own servers. That prevents a plethora of abuseive actions.
I hope this is helpful.
Thanks,
-Stephanie
> -----Original Message-----
> From: gen at ercuk.com [mailto:gen at ercuk.com]
> Sent: Wednesday, October 23, 2013 6:26 AM
> To: blueonyx at mail.blueonyx.it
> Subject: [BlueOnyx:13897] Re: Blueonyx Digest, Vol 58, Issue 30
>
> Re: BlueOnyx-5108R-CentOS-6.3:
>
> Should I have Port 53 Open?
> There seems to be a lot of disagreement about this on the web.
>
> My domains won't load without my Port 53 being open !
>
> Thanks
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx
More information about the Blueonyx
mailing list