disabling stateful firewalls for DNS traffic
Chuck Anderson
cra at WPI.EDU
Sat Mar 1 15:59:58 UTC 2014
On Sat, Mar 01, 2014 at 03:35:25PM +0000, Phil Mayers wrote:
> The DNS-QUERY chain allows all traffic inbound to port 53 and
> fragments, and denies all other TCP/UDP. It permits all others,
> which is relatively open but you could lock this down to allowing
> ICMP etc. if you wanted.
>
> The DNS-REPLY chain drops tcp syn and dst port <1024 tcp/udp. It
> then allows all TCP/UDP (including frags), which is needed as bind
> uses random query source ports. You could of course put DROP
> statements in higher up if you know you have non-bind processes
> listening on high(er) ports. Same comment as above for the final
> ACCEPT.
Excellent. This is exactly what I was looking for. Thanks.
> rules, tcpwrappers, SELinux confinement, bind ACLs and network-level
> ACLs at our border to ensure it's all locked down.
To your point about higher-up non-bind processes listening on high(er)
ports, and also your SELinux comment, I've found the following to be
extremely valuable:
options {
avoid-v4-udp-ports { 1935; 2605; 4321; 6514; range 8610 8614; };
avoid-v6-udp-ports { 1935; 2605; 4321; 6514; range 8610 8614; };
}
That list of ports in particular is blocked by default SELinux rules
on RHEL, so not configuring the above causes occasional resolution
failures to be logged like this:
Jul 16 03:27:04 server named[1634]: dispatch 0x7f4acc5c1210: open_socket(0.0.0.0#1935) -> permission denied: continuing
You can also find these problems by checking your
/var/log/audit/audit.log. You can list all known SELinux ports like
this:
semanage port -l
(but not all of them are blocked/problematic for BIND to use)
> The advice to not statefully process DNS traffic is excellent
> advice. Personal experience is that suddenly being a node which
> attackers try to reflect from can really ruin your day if you're
> stateful.
Agreed.
More information about the bind-users
mailing list