Block all incoming DNS requests EXCEPT from IPs x,y,

domain-name-system iptables tcp udp
16,061

This is very simple with iptables:

I'll assume your INPUT chain has no default DROP rule at the end, or you'll have to work around that:

# Allow DNS (53) from <source IP>
iptables -A INPUT -p udp --dport 53 -s <source IP> -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -s <source IP> -j ACCEPT

# Deny all other DNS requests
iptables -A INPUT -p udp --dport 53 -j DROP
iptables -A INPUT -p tcp --dport 53 -j DROP

Simply remove the two bottom rules if you have a default DROP policy. If you have a default DROP rule at the bottom of your chain, you'll have to insert (-I rulenum) these rules above that rule.

Share:
16,061

Related videos on Youtube

ale
Author by

ale

Updated on September 18, 2022

Comments

  • ale
    ale almost 2 years

    I want to block all incoming requests on my two DNS servers APART FROM certain IP addresses e.g. IP of 1.2.3.4 will be allowed to make requests but NOBODY else will.

    How do you do this with iptables?

    Many thanks.

    • Zoredache
      Zoredache about 12 years
      Your DNS server may also have ACL support for setting restrictions based on various criteria.
  • gparent
    gparent about 12 years
    Edited your answer to add TCP ports, pending review.
  • ale
    ale about 12 years
    Awesome.. very very nearly what I want :).. I have a secondary DNS though.. do I need to do something on that server too?
  • Kyle Smith
    Kyle Smith about 12 years
    Approved, but I want to double-check this. I believe TCP is only used for IXFR/AXFR transfers?
  • gparent
    gparent about 12 years
    I believe it is also used for any packets over a certain size. See wikipedia: "The Transmission Control Protocol (TCP) is used when the response data size exceeds 512 bytes, or for tasks such as zone transfers."
  • Kyle Smith
    Kyle Smith about 12 years
    Looks like I'm wrong! Thanks for pointing this out, @gparent. DNS does a "renegotiation" to TCP for large responses.
  • gparent
    gparent about 12 years
    Good to know, I wasn't sure of the exact details.
  • Kyle Smith
    Kyle Smith about 12 years
    That's why I contribute here, learn something new every day :-)
  • gparent
    gparent about 12 years
    @ale: Your secondary DNS probably needs to talk to your primary DNS in addition to the IPs you already specify, but that should be it.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

DNS SERVFAIL and Incorrect Flag only via TCP: Broken DNS Servers?
How to block 111 udp port via iptables?
Reduce firewall rules by half - one iptables rule for tcp and udp
Do DNS queries always travel over UDP?
Iptables: "-p udp --state ESTABLISHED"
Is it better to set -j REJECT or -j DROP in iptables?
how to forward udp packets over tcp (udptunnel)
Convert UDP to TCP - Ngrok TCP => UDP
Sending string/data via php to device connected to my server
Confusion over how UDP server sends the response back to UDP client