Re: How do I configure iptables to allow DNS lookups?

To: debian-user@lists.debian.org
Subject: Re: How do I configure iptables to allow DNS lookups?
From: "J.A. de Vries" <J.A.deVries@dto.tudelft.nl>
Date: Thu, 7 Aug 2003 10:52:17 +0200 (MEST)
Message-id: <[🔎] Pine.GSO.4.44.0308071044530.22568-100000@sanders.rc.tudelft.nl>
In-reply-to: <[🔎] 3F31C152.3090706@yahoo.com>

On Wed, 6 Aug 2003, Malcolm Ferguson wrote:

> I'm trying to configure iptables as strictly as possible, however, I'm
> having problems with DNS.  If I understand correctly how DNS works, the
> client sends a UDP packet from a high number port to port 53 on the name
> server.  The name server responds with a UDP packet back to that high
> number port.  Is this correct?
>
> I have /etc/resolv.conf containing a nameserver entry.  I also have some
> name servers listed in the forwarders section of /etc/bind/named.conf.
> Is there a way to configure both bind and the normal name resolver (how
> does it work???) to always use the same port?  Or, do I have to add a
> rule to the INPUT chain that ACCEPTS anything UDP from the name server?
> Obviously the name server isn't on the local LAN.

Hi Malcolm,

Contrary to common belief DNS is not UDP only. Once in a while a normal query
will be to large and then TCP packets are used. So TCP is not exclusively for
zone-transfers.

Here's what I use in my iptables-script:

  if [ "$CONNECTION_TRACKING" = "1" ]; then
    iptables -A OUTPUT -o $PUB_IFACE -p udp \
             -s $PUB_IP --sport $EPHEMERAL_PORTS \
             -d $IP --dport 53 \
             -m state --state NEW -j ACCEPT

    iptables -A OUTPUT -o $PUB_IFACE -p tcp \
             -s $PUB_IP --sport $EPHEMERAL_PORTS \
             -d $IP --dport 53 \
             -m state --state NEW -j ACCEPT
  fi

  iptables -A OUTPUT -o $PUB_IFACE -p udp \
           -s $PUB_IP --sport $EPHEMERAL_PORTS \
           -d $IP --dport 53 -j ACCEPT

  iptables -A OUTPUT -o $PUB_IFACE -p tcp \
           -s $PUB_IP --sport $EPHEMERAL_PORTS \
           -d $IP --dport 53 -j ACCEPT

  iptables -A INPUT -i $PUB_IFACE -p udp \
           -s $IP --sport 53 \
           -d $PUB_IP --dport $EPHEMERAL_PORTS -j ACCEPT

  iptables -A INPUT -i $PUB_IFACE -p tcp ! --syn \
           -s $IP --sport 53 \
           -d $PUB_IP --dport $EPHEMERAL_PORTS -j ACCEPT

Mind you it is somewhat double. It is something I got used to do in the
past. So there are a couple of catch 'em lines just in case the
connection tracking module isn't loaded on that particular host. You
might not need those extra lines.

Grx HdV

Reply to:

Follow-Ups:
- Re: How do I configure iptables to allow DNS lookups?
  - From: Malcolm Ferguson <Malcolm_Ferguson@yahoo.com>

References:
- How do I configure iptables to allow DNS lookups?
  - From: Malcolm Ferguson <Malcolm_Ferguson@yahoo.com>

Prev by Date: GDM problem
Next by Date: net-tools
Previous by thread: Re: How do I configure iptables to allow DNS lookups? (Oops)
Next by thread: Re: How do I configure iptables to allow DNS lookups?
Index(es):
- Date
- Thread