Originally Posted by
SeijiSensei
If you block incoming port 53 traffic, then your server cannot communicate with the roots and resolve names outside the domains for which it is authoritative.
To clarify, I don't specifically block incoming for destination port 53, but it since it isn't specifically allowed, it gets blocked. Requests from my DNS that go upstream, do so via another, high numbered, port and get back via the RELATED,ESTABLISHED path through my iptables. Some examples: First, a random incoming DNS request (entire session, packet was DROPPED):
Code:
2013-05-07 10:36:15.229465 IP 180.76.5.159.63468 > XXX.XXX.XXX.XXX.53: 17924+ A? www.google.com. (32)
Second, a forward request to a root server (F):
Code:
2013-05-07 11:25:49.605652 IP 173.180.45.4.6485 > 192.5.5.241.53: 13848 [1au] A? bit.ly. (35)
2013-05-07 11:25:49.605829 IP XXX.XXX.XXX.XXX.14304 > 192.5.5.241.53: 8338 [1au] NS? . (28)
2013-05-07 11:25:49.781905 IP 192.5.5.241.53 > XXX.XXX.XXX.XXX.14304: 8338*- 14/0/23 NS i.root-servers.net., NS c.root-servers.net., NS g.root-servers.net., NS h.root-servers.net., NS b.root-servers.net., NS m.root-servers.net., NS j.root-servers.net., NS l.root-servers.net., NS e.root-servers.net., NS f.root-servers.net., NS d.root-servers.net., NS a.root-servers.net., NS k.root-servers.net., RRSIG (857)
2013-05-07 11:25:49.787509 IP 192.5.5.241.53 > XXX.XXX.XXX.XXX.6485: 13848- 0/8/10 (568)
There is never a packet leaving my network from port 53.
Bookmarks