Hi,
> Are your NICs PCI-based? If so, I believe they all behave as a single unit
> (ie. any card can answer to any address defined in ifconfig), so attempting
> to block by interface doesn't have any effect. I've had the same trouble
> with ipchains/iptables.
This isn't true under Linux, but I don't know about other *nixes. I
believe there is an sysctl option to enable this functionality, but I
can't recall what it is right now. It's not enabled by default, at least
not on the distros I've tried.
>
> If you are really worried about the security of having port 53 open, I
> suggest you move your DNS onto a dedicated server in your DMZ (ie. on your
I think there is a little confusion here. The port being bound to is a
high numbered port above 1023. As I understand it, this is done by
the internal dns resolver in Squid. I run dnscache on the Squid box
itself, so it doesn't have to contact an external dns server.
Dnscache is bound to an interface that is not exposed to a hostile
environment. I would like Squid's internal DNS resolver to do the
same if possible.
Thanks,
Steve
Received on Mon Mar 18 2002 - 12:35:02 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:06:58 MST