Configure a cache-only DNS server on 198.4.195.45.
I have the default /etc/named.conf file, with 2 modifications:
…
listen-on port 53 { 127.0.0.1; 198.4.195.45; };
allow-query { localhost; 192.168.122.0/24; };
…
/etc/sysconfig/iptables:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [110:14686]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth+ -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5900:5904 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i eth+ -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

Iptables is enabled on 198.4.195.45. From server 192.168.122.5, entering
# dig@198.4.195.45 cnn.com
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-5.P2.el6 <<>> @198.4.195.45 cnn.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
There is no DNS related query activity is record on 198.4.195.45’s messages file.
If I stop iptables on 198.4.195.45, dig command resolves cnn.com.
Iptables –L shows
…
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:domain
…
Port 53 is opened. Is there any other port need to be open? What do I miss?
Thanks.

If I read this correctly you have a caching-only name server set to serve your 192.168.122.0/24 range only. It should not listen on its public interface.


Apart from re-ordering your rule set I've never seen network device notation using a plus sign...


If you intend the caching-only name server to only serve your LAN, after all you set a strict "allow-query" rule, then what should accessing it via its public IP accomplish?