3

I have an Ubuntu Server 12.04, with two network cards:

  • eth0 is connected to the internet
  • eth1 is connected to a private network (192.168.10.1)

The server is configured as a gateway and hosts DNS and DHCP fro the private network. Computers in the private network (say with IP address 192.168.10.50) can successfully connect to the internet.

The UFW rules look as follows:

Status: active

To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere
80                         ALLOW       Anywhere
443                        ALLOW       Anywhere
67/udp on eth1             ALLOW       68/udp
53                         ALLOW       Anywhere
22                         ALLOW       Anywhere (v6)
80                         ALLOW       Anywhere (v6)
443                        ALLOW       Anywhere (v6)
67/udp on eth1             ALLOW       68/udp
53                         ALLOW       Anywhere (v6)

Any internet user can query my DNS server. I'd like to block such requests as it poses a security risk. I reset the firewall, allowed access to ports 80, 443, 22 and typed the following to only permit devices on the private network to make DNS requests.

sudo ufw allow in on eth1 to 192.168.10.1 port 53

When type the following on a Windows computer (with ip address 192.168.10.50) in the private network:

nslookup google.com. 192.168.10.1

I get a response back that looks as follows:

DNS request timed out.
    timeout was 2 seconds.
Server: Unknown
Address: 192.168.10.1

When I reset the firewall and allow access to port 53 from anywhere, everything works again.

sudo ufw allow 53

How does one configure UFW on 192.168.10.1 to

  • block incoming DNS queries from the internet (aka eth0)
  • allow computers in the private network to make dns queries
  • allow the dns server on 192.168.10.1 to forward internal DNS requests to the internet
  • work for both IPv4 and IPv6
bloudraak
  • 462
  • 2
  • 5
  • 14

3 Answers3

2

In addition to blocking traffic at the UFW I would also limit connections on your DNS server. Assuming you're using BIND, something simliar to this:

acl internal {
  192.168.10.0/24;
  # Add other internal networks here
};
options {
  listen-on { 192.168.10.1; };
  allow-query { internal; };
};
Tommiie
  • 5,547
  • 2
  • 11
  • 45
1

Try this

sudo ufw allow from 192.168.10.0/24 to 192.168.10.1 port 53 proto tcp
sudo ufw allow from 192.168.10.0/24 to 192.168.10.1 port 53 proto udp

This will allow TCP and UDP DNS (port 53) traffic from your local private network (which I assume is 192.168.10.0/24, or in other words, 192.168.10.1-255) and not anywhere else.

Finally, check to make sure your UFW status (run sudo ufw status) has these lines:

To                         Action      From
--                         ------      ----
192.168.10.1 53/tcp        ALLOW       192.168.10.0/24
192.168.10.1 53/udp        ALLOW       192.168.10.0/24
Rouben
  • 1,272
  • 10
  • 15
1

For the interface-based ufw rule, the following will block access to port 53 (assuming your dns/bind server is configured on port 53) from any interface that is not eth1:

sudo ufw allow all in on eth1 to any port 53 proto tcp
sudo ufw deny to any port 53 

For configuring bind to forward dns requests, you can use this directive in your named.conf file after all your internally-handled zones:

zone "." {
    type forward;
    forwarders {
        8.8.8.8;
    };
}
2ps
  • 1,076
  • 8
  • 11