disabling stateful firewalls for DNS traffic

Chuck Anderson cra at WPI.EDU
Sat Mar 1 14:30:33 UTC 2014 

In the following two Best Practices documents, it is recommended to
disable stateful firewalls for DNS traffic (outbound on recursive
servers, and inbound on authoritative servers).  Can people share
their Linux iptables configurations for how they have accomplished
this?

https://deepthought.isc.org/article/AA-00874/0/Best-Practices-for-those-running-Recursive-Servers.html

    "Disable the use of stateful firewalls/packet filters on your
    servers for outbound query traffic (iterative queries made by a
    recursive server to authoritative Internet servers).
    Administrators often consider the impact of stateful firewalls and
    load balancers on inbound client queries, but then fail to
    consider their impact on resolver query traffic."

https://deepthought.isc.org/article/AA-00892/0/Best-Practices-for-those-running-Authoritative-Servers.html

    "In most instances we would not recommend the use of inbound
    packet filtering for authoritative nameservers, Response Rate
    Limiting is the recommended solution.  However there are some
    circumstances where filtering at very high inbound packet rates
    can be helpful - please contact ISC if you think you might benefit
    from our operational experience in this area.

The typical vendor defaults I've seen don't follow this advice.  For
example, on Red Hat-like servers, stateful rules like the following
are often implemented with rules added to non-open recursive servers
to allow only your internal network to connect to port 53:

*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m icmp -p icmp --icmp-type any -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -s $INTERNALNET -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 53 -s $INTERNALNET -j ACCEPT
-A INPUT -j LOG
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j LOG
COMMIT

and for authoritative-only servers allowing any sources to connect to
port 53:

*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m icmp -p icmp --icmp-type any -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
-A INPUT -j LOG
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j LOG
COMMIT

How should these rules be changed to adhere to the Best Practices
while not breaking anything and still allowing the servers to do their
own DNS lookups?  I know theoretically how I would do this, but I'm
looking for others' experiences.

Thanks.

More information about the bind-users mailing list