[External] Re: How can I launch a private Internet DNS server?

[Michael De Roover]

Simply stateless. Something along the lines of this (iptables):

# SSH may be internal only or moved to a different port
iptables -A INPUT -m tcp -p tcp --dport 22 -j ACCEPT
# Enable DNS on both TCP and UDP
iptables -A INPUT -m tcp -p tcp --dport 53 -j ACCEPT
iptables -A INPUT
-m udp -p udp --dport 53 -j ACCEPT
# Allow ping
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m state --state
NEW,RELATED,ESTABLISHED -j ACCEPT
# Allow internal network traffic
iptables -A INPUT -s $internal -j
ACCEPT
# Set the general input policy to drop traffic.
iptables -P INPUT DROP

What I'm concerned with security-wise is that if BIND has an RCE
vulnerability, an unprivileged user might be able to "upload a shell"
that gets executed and listens on another port. With all other ports
closed, this can be prevented. It does not prevent against privilege
escalation vulnerabilities though, as root can of course adjust the
firewall at will. But I wouldn't consider security as "being
unhackable", rather making it as hard as possible to get in. A firewall
is a good starting point for that.

On Thu, 2020-10-15 at 21:38 +0200, sthaug at nethelp.no wrote:
> > I would run a firewall even for BIND alone on a box in case the box
> > gets compromised through BIND. Allowing remote access and DNS, then
> > dropping everything else as the general firewall policy should be
> > pretty straightforward. But with the IP on this particular BIND box
> > being public, it's really like any other server on the internet.
> Port
> > forwarding or NAT in that case would be unnecessary.
> 
> Do you mean a simple stateless ACL, or a stateful firewall? If you
> really mean a stateful firewall: Think about the effect of DNS
> queries - they are usually UDP based, and every new query is going
> to create state. Read up on state table exhaustion.
> 
> Steinar Haug, Nethelp consulting, sthaug at nethelp.no
-- 
Michael De Roover <isc at nixmagic.com>