I had a problem with our DNS servers. I turned out that the DNS servers
were very, very busy with rejecting answers. See discussion "Blocking
DNS cache queries". I assume DNSAmp is the formal incorporation of the
solution.
Igor Sverkos schreef op 21-8-2014 14:00:
​Hi,
Ruud Baart wrote:
> as I can see the DNSAmp macro does not work as I expect. Perhaps I
do something wrong.
>
> With the imperfect firewall rule I test the DNS recursive query:
>
> The rule:
> IPTABLES(DROP) wan1:!$TRUSTEDHOSTS lan1 udp 53 ; -m string --algo
bm --hex-string "|01000001|"
>
> This is what I expect: only queries for which the DNS server is
responsible are handled.
Mh? That sounds strange... are you saying you are expecting that
iptables should know "our DNS server is responsible for foo.tld and
bar.tld. Queries for any other domains should be dropped/rejected"?
How should that work?
Remember what the rule you quoted is doing: It is just matching for
DNS queries of the ANY type. In other words: Only queries from clients
which aren't $TRUSTEDHOSTS like
dig @dns.yourdomain.com <http://dns.yourdomain.com> isc.org
<http://isc.org> ANY
will be dropped. But queries from any client like
dig @dns.yourdomain.com <http://dns.yourdomain.com> isc.org
<http://isc.org> TXT
will be answered because the iptables rules will only match for DNS
query type "ANY".
I am not yet sure about shorewall's new DNSAmp action but it looks
like it is doing the same (just blocking *any* ANY query, which could
be a problem if you need ANY queries) using the u32 module for better
performance.​
-
​-
Regards,
Igor
​
------------------------------------------------------------------------------
Slashdot TV.
Video for Nerds. Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
--
Met vriendelijke groeten/Regards,
Tiswe/R.J. Baart Automatisering B.V.
Ruud Baart
Tel: +31 6 51318104
------------------------------------------------------------------------------
Slashdot TV.
Video for Nerds. Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
