I want to block all incoming requests on my two DNS servers APART FROM certain IP addresses e.g. IP of 1.2.3.4 will be allowed to make requests but NOBODY else will.
How do you do this with iptables?
Many thanks.
Asked
Active
Viewed 1.6k times
7
-
Your DNS server may also have ACL support for setting restrictions based on various criteria. – Zoredache Mar 29 '12 at 15:35
1 Answers
13
This is very simple with iptables:
I'll assume your INPUT chain has no default DROP rule at the end, or you'll have to work around that:
# Allow DNS (53) from <source IP>
iptables -A INPUT -p udp --dport 53 -s <source IP> -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -s <source IP> -j ACCEPT
# Deny all other DNS requests
iptables -A INPUT -p udp --dport 53 -j DROP
iptables -A INPUT -p tcp --dport 53 -j DROP
Simply remove the two bottom rules if you have a default DROP policy. If you have a default DROP rule at the bottom of your chain, you'll have to insert (-I rulenum) these rules above that rule.
Kyle Smith
- 9,563
- 1
- 30
- 32
-
2
-
Awesome.. very very nearly what I want :).. I have a secondary DNS though.. do I need to do something on that server too? – ale Mar 29 '12 at 13:59
-
2Approved, but I want to double-check this. I believe TCP is only used for IXFR/AXFR transfers? – Kyle Smith Mar 29 '12 at 14:03
-
I believe it is also used for any packets over a certain size. See wikipedia: "The Transmission Control Protocol (TCP) is used when the response data size exceeds 512 bytes, or for tasks such as zone transfers." – gparent Mar 29 '12 at 14:04
-
4Looks like I'm wrong! Thanks for pointing this out, @gparent. DNS does a "renegotiation" to TCP for large responses. – Kyle Smith Mar 29 '12 at 14:04
-
-
1
-
1@ale: Your secondary DNS probably needs to talk to your primary DNS in addition to the IPs you already specify, but that should be it. – gparent Mar 29 '12 at 18:09
-
Add two more allow rules (one udp, one tcp) on the primary allowing the source IP of the secondary. – dmourati Dec 09 '14 at 04:36