LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-08-2003, 08:03 PM   #1
dexter_modem
Member
 
Registered: Oct 2002
Location: Chicago
Distribution: slackware > redhat
Posts: 69

Rep: Reputation: 15
DNS and Firewall


iptables -A INPUT -p udp -s 0/0 --source-port 53 -d 0/0 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 53 --syn -j ACCEPT

Will This rule in my firewall script make it so I can have people use me as a primary DNS server?
 
Old 11-09-2003, 02:11 AM   #2
Mrcdm
Member
 
Registered: Apr 2003
Location: Australia
Distribution: Debian 3, 31r0, 4, slackware, DSL, RH8.0/7, MDK9/10, et al. Vista is cute but not Linux - I tried
Posts: 70

Rep: Reputation: 15
You don't need the tcp part and change the destination port in your first section to 53 ie;

iptables -A INPUT -p udp --sport 1025:65536 --dport 53 -j ACCEPT

I'm pretty sure DNS querries don't originate from port 53 so the destination would be your machine. You probably don't even need the sport entry but to make sure the query came from a non privilaged port keep it there.

If you have a trusted and an untrusted network (two cards) then you need to put the ip addess in to allow only one of those. This script would allow all connections to port 53 from anywhere. So for trusted:
trusted network = 192.168.0.0/24

iptables -A INPUT -p udp -s 192.168.0.0/24 --sport 1025: -d --dport 53 -j ACCEPT

Let me know if it helps
 
Old 11-09-2003, 03:15 AM   #3
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
So there's a lot of wrong information about DNS assumed by people not familiar with it.

First off, yes, DNS does use both UDP and TCP!!! Nearly all queries use UDP by default, but zone file transfers (axfr) and also responses that are too big to fit in a single UDP datagram will use TCP. You need to allow both.

Second, the source port can be either 53 or >1023, depending on whether it's a daemon or a client making the request and how such daemon/client is configured. You need to allow both.
 
Old 11-09-2003, 07:42 PM   #4
joseph
Member
 
Registered: Jun 2003
Location: Batam
Distribution: Ubuntu 10 And Linux Mint
Posts: 414

Rep: Reputation: 30
BTW, why you want your DNS server to e used as primary by others?
I personally will only accept my network not much then that.
 
Old 11-09-2003, 08:31 PM   #5
dexter_modem
Member
 
Registered: Oct 2002
Location: Chicago
Distribution: slackware > redhat
Posts: 69

Original Poster
Rep: Reputation: 15
how else will the rest of the internet understand your domain if you do not allow access from them?
 
Old 11-10-2003, 12:34 AM   #6
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
I think what joseph is saying is that you should only allow-recursion { localnets; } and then in your zone allow-query { all; }. That way your network can do recursive queries to look up any DNS information, but everyone else can only look up hosts in your zone (which is all they need).
 
Old 11-11-2003, 10:52 PM   #7
dexter_modem
Member
 
Registered: Oct 2002
Location: Chicago
Distribution: slackware > redhat
Posts: 69

Original Poster
Rep: Reputation: 15
Quote:
Originally posted by chort
I think what joseph is saying is that you should only allow-recursion { localnets; } and then in your zone allow-query { all; }. That way your network can do recursive queries to look up any DNS information, but everyone else can only look up hosts in your zone (which is all they need).
Thats deep, How do you do that?
 
Old 11-12-2003, 12:01 AM   #8
joseph
Member
 
Registered: Jun 2003
Location: Batam
Distribution: Ubuntu 10 And Linux Mint
Posts: 414

Rep: Reputation: 30
Quote:
Originally posted by dexter_modem
how else will the rest of the internet understand your domain if you do not allow access from them?
1) are you telling your ISP to put your name server as primary name server or not?

2) If yes, are you tell them to put another name server as secondary?

3) I am agree with chort. If you open port 53 for all, maybe it will dangerous
 
Old 11-13-2003, 10:41 PM   #9
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
dexter_modem:
Actually, I gave you the syntaxt right in my post.

In /etc/named.conf you should have
Code:
...

options {
  allow-recursion{ localnets; };
};

zone "mydomain.com" {
  type master;
  file path/db.mydomain.com;
  allow-query { all; };
};

...
Now obviously there's a lot more stuff in named.conf than that, but I'm showing you an example of how to restrict recursive queries (i.e. queries where your computer does all the work and returns a result to the client) to only the network your computer is attached to, but still allow anyone to look up information about your zone (i.e. hosts in your domain). If you have your IP set as the primary or secondary name server for your zone, then this will allow it to answer as an authoritative server.

By the way, if you're running the DNS server on the same machine that has your firewall (i.e. the DNS server has an interface that's directly connected to the Internet and has an externally routable IP) then you do NOT want to put "localnets" in your allow recursion statement, since that will let anyone on your ISPs local subnet use you as a DNS server for recursive queries. You will want to create an ACL with only your private subnet on it and put that ACL in your allow-recursion{}; statement.

Example:
Code:
acl "LAN" {
        { 192.168.0.0/16; };
};

options {
        allow-recursion { LAN; };
}
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
DNS and firewall merlin371 Linux - Networking 2 07-31-2003 05:36 AM
DNS and firewall help please mpalladi Linux - Networking 2 05-26-2003 09:35 AM
setting up DNS behind a firewall..... archangel Linux - Networking 3 08-10-2002 10:43 PM
DNS problems through firewall vertices Linux - Networking 7 04-04-2002 02:07 PM
DNS, firewall dilemma? apessos Linux - Networking 1 02-06-2001 06:02 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:32 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration