disabling stateful firewalls for DNS traffic

Drunkard Zhang gongfan193 at gmail.com
Mon Mar 3 01:48:20 UTC 2014 

2014-03-02 3:04 GMT+08:00 /dev/rob0 <rob0 at gmx.co.uk>:
> On Sat, Mar 01, 2014 at 03:35:25PM +0000, Phil Mayers wrote:
>> On 01/03/2014 14:30, Chuck Anderson wrote:
>>
>> >How should these rules be changed to adhere to the Best Practices
>> >while not breaking anything and still allowing the servers to do
>> >their own DNS lookups?  I know theoretically how I would do this,
>> >but I'm looking for others' experiences.
>>
>> There are probably an arbitrary number of ways to skin this cat.
>
> Yes, and here's another. :) (Also Linux-specific.)
>
> In my view there's no point in Linux connection tracking for UDP DNS
> queries. A typical UDP "connection" is two packets: a query going
> out, and an answer coming back. And as I have seen, a busy named
> server can have lots of these entries in its conntrack table. Each
> entry requires kernel-space memory of course, and each entry counts
> against the total number of entries that the table can accommodate.
>
> Therefore my approach is to use the raw table to keep these
> "connections" out of conntrack altogether.
>
> The following sample ruleset is obviously incomplete; there is no
> filtering being done.
>
> root at tp:~# iptables-save
> # Generated by iptables-save v1.4.20 on Sat Mar  1 12:42:55 2014
> *filter
> :INPUT ACCEPT [1:324]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [2:104]
> -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED,UNTRACKED -j ACCEPT
> COMMIT
> # Completed on Sat Mar  1 12:42:55 2014
> # Generated by iptables-save v1.4.20 on Sat Mar  1 12:42:55 2014
> *raw
> :PREROUTING ACCEPT [96:19019]
> :OUTPUT ACCEPT [118:13918]
> -A PREROUTING -p udp -m udp --dport 53 -m comment --comment "do not track outbound DNS queries on UDP" -j NOTRACK
> -A PREROUTING -p udp -m udp --sport 53 -m comment --comment "do not track inbound DNS replies on UDP" -j NOTRACK
> -A OUTPUT -p udp -m udp --dport 53 -m comment --comment "do not track outbound DNS queries on UDP" -j NOTRACK
> -A OUTPUT -p udp -m udp --sport 53 -m comment --comment "do not track inbound DNS replies on UDP" -j NOTRACK

The NOTRACK module is deprecating in kernel, the equivalent usage is:
-A PREROUTING -p udp -m udp --dport 53 -j CT --notrack

> COMMIT
> # Completed on Sat Mar  1 12:42:55 2014
>
> Note that in the filter table, only one rule is required to do all
> conntrack-based acceptance. The example above is for a ruleset on a
> named server, but if this was for a firewall in front of a named
> server, you would need that rule in FORWARD, not INPUT.
>
> Note also: NOTRACK and DNAT are exclusive. If you're wanting to do
> this on a NAT router, forget it. For now, increase the size of your
> conntrack table as much as necessary; later, get it set up without
> the NAT.
>
> Moving on to the raw table, note that each rule is commented to be
> descriptive.
>
> IMO this is the best approach to use on or for machines which are
> primarily recursive nameservers, and it probably would not hurt
> authoritative servers, either.
> --
>   http://rob0.nodns4.us/
>   Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list