0

I have to manage one server with Open DNS service on. Recently, it was heavily abused for ddos dns amplification attacks by unknown internet attackers. This DNS service is used by some localhost programs and intranet clients in a way, I don't fully understand, that is why I am afraid of any reconfigurations to the DNS service itself. However I thought that if I deny all DNS requests from outer internet, it may solve my problems.

My questions are:

1) How to deny all DNS requests from outer internet using iptables, leaving localhost and intranet (IP: 10.0.0.X and 10.0.1.X) intact?

2) Won't it harm usability of DNS service from intranet?

3) Won't it harm usability of other internet services (web+mail+db) on the server?

All currently used domains by our websites are managed by another company on their server, nobody from outer internet should need access to our DNS service up to my knowledge.

Thank you.

Akber Choudhry
  • 254
  • 1
  • 11
David162795
  • 145
  • 2
  • 9
  • 6
    Rather than blocking access in the firewall, you might want to consider just getting the DNS server to listen on the intranet-facing addresses only. – nickgrim Mar 04 '13 at 10:54
  • I edited named.conf by adding line "listen-on { 10.0.0.1;10.0.1.1; 127.0.0.1; };" into option sections. Is that all? Seems like it is working fine. Thank you. – David162795 Mar 05 '13 at 13:23

2 Answers2

1

The easiest way to remove access from the outside would be to block all external access to UDP (and possibly TCP) port 53, that will stop it serving requests outwards, but leave outgoing traffic to port 53 open, that way it can make recursive requests for your internal servers.

If you're going to offer a recursive nameserver to the internet, it's advisable that you know a good deal about the security and configuration of your server. Otherwise, leave it to the professionals, or hosting services.

NickW
  • 10,263
  • 1
  • 20
  • 27
1

You don't need Netfilter/iptables for that. All recursive name server software allow you to answer only to the local network. Assuming your network is 10.1.0.0/16, with Unbound:

access-control: 0.0.0.0/0 refuse
access-control: 10.1.0.0/16 allow

With BIND :

acl mynet {
    10.1.0.0/16;
};
allow-recursion   { mynet; };
allow-query-cache { mynet; };
bortzmeyer
  • 3,941
  • 1
  • 21
  • 24
  • 2
    While that is certainly the most straightforward way, if he has no need to provide DNS service to anyone outside of his intranet, what possible reason is there to leave the port open? – NickW Mar 07 '13 at 10:38