[Unbound-users] Unbound and firewall

Ondřej Surý ondrej at sury.org
Thu Nov 29 16:35:20 UTC 2012


You really don't want to do that. Lookup up and read about Kaminsky DNS bug.

Ondřej Surý

On 29. 11. 2012, at 16:59, Ricardo Fraile <rfrail3 at yahoo.es> wrote:

> I think that the unbound open an arbitrary udp port, how can I fix for use always the same port?
> 
> 
> 
> Active Internet connections (servers and established)
> Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
> udp        0      0 0.0.0.0:53              0.0.0.0:*                           1152/unbound    
> udp        0      0 0.0.0.0:17790           0.0.0.0:*                           1152/unbound 
> 
> 
> 
> 
> 
> thanks,
> 
> De: Ricardo Fraile <rfrail3 at yahoo.es>
> Para: "unbound-users at unbound.net" <unbound-users at unbound.net> 
> Enviado: Jueves 29 de noviembre de 2012 16:43
> Asunto: Unbound and firewall
> 
> Hello, 
> 
>    I try to put iptables in the same server that unbound but 	I can't do a local resolv:
> 
> dig terra.es @127.0.0.1
> 
> ; <<>> DiG 9.7.3 <<>> terra.es @127.0.0.1
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached
> 
> 
> 
> whit this iptables rules:
> 
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [2271:2106405]
> -A INPUT -s 30.0.0.0/8 -p tcp -j ACCEPT 
> -A INPUT -s 30.0.0.0/8 -p udp -j ACCEPT 
> -A INPUT -s 30.0.0.0/8 -p icmp -j ACCEPT 
> -A INPUT -s 127.0.0.1/32 -p udp -j ACCEPT 
> -A INPUT -s 127.0.0.1/32 -p tcp -j ACCEPT 
> -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT 
> -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT 
> -A INPUT -p udp -m udp --dport 53 -j ACCEPT 
> -A INPUT -j DROP 
> COMMIT
> 
> 
> 
> If I clean the firewall, all works, but why? Which ports use unbound for the queries?
> 
> 
> Thanks,
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20121129/d7c19b8c/attachment.htm>


More information about the Unbound-users mailing list