disabling stateful firewalls for DNS traffic

/dev/rob0 rob0 at gmx.co.uk
Sat Mar 1 19:04:59 UTC 2014 

On Sat, Mar 01, 2014 at 03:35:25PM +0000, Phil Mayers wrote:
> On 01/03/2014 14:30, Chuck Anderson wrote:
> 
> >How should these rules be changed to adhere to the Best Practices 
> >while not breaking anything and still allowing the servers to do 
> >their own DNS lookups?  I know theoretically how I would do this, 
> >but I'm looking for others' experiences.
> 
> There are probably an arbitrary number of ways to skin this cat.

Yes, and here's another. :) (Also Linux-specific.)

In my view there's no point in Linux connection tracking for UDP DNS
queries. A typical UDP "connection" is two packets: a query going 
out, and an answer coming back. And as I have seen, a busy named 
server can have lots of these entries in its conntrack table. Each 
entry requires kernel-space memory of course, and each entry counts 
against the total number of entries that the table can accommodate.

Therefore my approach is to use the raw table to keep these 
"connections" out of conntrack altogether.

The following sample ruleset is obviously incomplete; there is no 
filtering being done.

root at tp:~# iptables-save
# Generated by iptables-save v1.4.20 on Sat Mar  1 12:42:55 2014
*filter
:INPUT ACCEPT [1:324]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2:104]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED,UNTRACKED -j ACCEPT
COMMIT
# Completed on Sat Mar  1 12:42:55 2014
# Generated by iptables-save v1.4.20 on Sat Mar  1 12:42:55 2014
*raw
:PREROUTING ACCEPT [96:19019]
:OUTPUT ACCEPT [118:13918]
-A PREROUTING -p udp -m udp --dport 53 -m comment --comment "do not track outbound DNS queries on UDP" -j NOTRACK
-A PREROUTING -p udp -m udp --sport 53 -m comment --comment "do not track inbound DNS replies on UDP" -j NOTRACK
-A OUTPUT -p udp -m udp --dport 53 -m comment --comment "do not track outbound DNS queries on UDP" -j NOTRACK
-A OUTPUT -p udp -m udp --sport 53 -m comment --comment "do not track inbound DNS replies on UDP" -j NOTRACK
COMMIT
# Completed on Sat Mar  1 12:42:55 2014

Note that in the filter table, only one rule is required to do all 
conntrack-based acceptance. The example above is for a ruleset on a 
named server, but if this was for a firewall in front of a named 
server, you would need that rule in FORWARD, not INPUT.

Note also: NOTRACK and DNAT are exclusive. If you're wanting to do 
this on a NAT router, forget it. For now, increase the size of your 
conntrack table as much as necessary; later, get it set up without 
the NAT.

Moving on to the raw table, note that each rule is commented to be 
descriptive.

IMO this is the best approach to use on or for machines which are 
primarily recursive nameservers, and it probably would not hurt 
authoritative servers, either.
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

More information about the bind-users mailing list