Secure dnsmasq dns daemon with whitelist

The only solution I know is through iptables.

It is easiest to do this with ipset: create a list of allowed IPs,

    ipset create good_ips hash:net

add your ips to the list,

     ipset add good_ips 8.8.8.8
     ipset add good_ips 192.168.155.0/24

Then you can block all IPs not in the list, trying to access your DNS server, as follows:

      iptables -A INPUT -p udp  --dport 53 -m set  --match-set !  good_ips src -j DROP

This can be made permanent with:

      ipset save > /etc/ipset.conf
      systemctl enable ipset

(the last command is for systemd services, which is by now most of Linuxes; if you are not on such a system, please adjust it accordingly).

MariusMatutiae

Posted 2015-06-29T13:31:47.887

Reputation: 41 321

I get iptables v1.4.21: Set ! doesn't exist. when I try to run that iptables command – chovy – 2016-02-25T23:04:33.243

don't you need a rule to ACCEPT the ips in the whitelist? – chovy – 2016-02-26T06:57:36.883

@chovy It depends on your default policy: if your default policy is DROP, then yes, you do. But if your default policy is ACCEPT, then you do not. – MariusMatutiae – 2016-02-26T07:05:11.850

can you give a more complete example? I am unable to get this to work, and you have a syntax error as well. (see first comment) -- maybe you can comment here: http://serverfault.com/questions/759927/how-to-setup-a-whitelist-using-iptables-and-ipset

– chovy – 2016-02-26T07:26:24.833

iptables is the only solution. – MariusMatutiae – 2015-06-29T13:41:23.483

@MariusMatutiae that would explain lack of any option in the docs/www. Guess I'll just use iptables then. Thanks (if you want, feel free to post this as an answer – Daniel – 2015-06-30T08:04:11.073

Done, glad to see you accepted iptables as a solution. – MariusMatutiae – 2015-06-30T08:22:12.553

Secure dnsmasq dns daemon with whitelist

Answers