RHEL 6.6 authoritative DNS server. Right now in IPtables I have the INPUT chain defaulting to ACCEPT.
:INPUT ACCEPT [0:0]
I have been having some issues with it being attacked lately and I am just wondering what would be affected from a DNS service standpoint if I were to change the default policy to DROP?
:INPUT DROP [0:0]
I am also looking at doing this with the output chain as well but again my concern is since this is a public DNS server if I change this would there be negative implications in how the server communicates with other DNS servers doing things such as zone transfers, caching and things like that?
Just to give an idea of what I have now here is the contents of /etc/sysconfig/iptables.
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1015316:198598633]
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s X.X.X.X/24 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -s X.X.X.X/18 -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -s X.X.X.X/32 -j DROP
-A INPUT -s X.X.X.X/32 -j DROP
-A INPUT -j DROP
-A OUTPUT -d X.X.X.X/20 -j DROP
COMMIT