[Dshield] Help: DNS (53)

Chris Brenton cbrenton at chrisbrenton.org
Thu Jan 1 16:36:52 GMT 2004


On Thu, 2004-01-01 at 11:10, David Hart wrote:
>
> >You need to accept UDP to 53 from any in-bailiwick ( 
> > "authoritative") server. For example, f your server is looking up dns 
> > info for dshield.org, it must accept UDP packets from dshield.org.
> > 
> OK. Then there is no applicable (IPTables) firewall rule other than
> "Accept" DPT=53?

NOOOOOOOOOOOOOOO!!!

I don't think the poster really understood what you where looking for
and was giving off the cuff answers (kind of like I did when I said you
only need to talk to "root" servers. ;-)

Here are the rules you want:
iptables -A FORWARD -p tcp -i eth0 -s 1.2.3.4 -d 0/0 --dport 53 -j
ACCEPT
iptables -A FORWARD -p tcp -i eth0 -s 1.2.3.4 -d 0/0 --dport 53 -j
ACCEPT
iptables -A FORWARD -m state --state ESTABLISH,RELATED -j ACCEPT

(change -i and -s as appropriate. Add in similar rules for logging if
you want them.) 

Now, some caveats here. Is the name server on the same subnet as your
internal hosts? If so, do you have a rule like this:
iptables -A FORWARD -i eth0 -m state --state NEW -d 0/0 -j ACCEPT

If so, this should let you name server get access to the Internet as
well. If not, you need the specific rules I mention above.

Now, if the name server is off of a third NIC off the firewall, the
rules should read:
iptables -A FORWARD -p tcp -i eth0 -s 1.2.3.4 ! -d 192.168.1.0/24
--dport 53 -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 -s 1.2.3.4 ! -d 192.168.1.0/24
--dport 53 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISH,RELATED -j ACCEPT

(change 192.168.1.0/24 to be your internal subnet)

This way if your name server gets whacked, the purp can't use it to get
to internal systems on port 53.

I *think* I've got you covered this time. ;-)

> That makes abundant sense. Presumably then, I want to limit to DPT >
> 32000 and < ???? Any suggestions?

To go back to your original post, its really not a big deal that you are
dropping the traffic from the load balancer. Most people do this and
have no problem. If queries are already working for you then you are
probably all set and don't need to tweak anything.

HTH,
C







More information about the list mailing list