Block all incoming DNS requests EXCEPT from IPs x,y,
16,061
This is very simple with iptables:
I'll assume your INPUT chain has no default DROP rule at the end, or you'll have to work around that:
# Allow DNS (53) from <source IP>
iptables -A INPUT -p udp --dport 53 -s <source IP> -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -s <source IP> -j ACCEPT
# Deny all other DNS requests
iptables -A INPUT -p udp --dport 53 -j DROP
iptables -A INPUT -p tcp --dport 53 -j DROP
Simply remove the two bottom rules if you have a default DROP policy. If you have a default DROP rule at the bottom of your chain, you'll have to insert (-I rulenum
) these rules above that rule.
Related videos on Youtube
Author by
ale
Updated on September 18, 2022Comments
-
ale almost 2 years
I want to block all incoming requests on my two DNS servers APART FROM certain IP addresses e.g. IP of 1.2.3.4 will be allowed to make requests but NOBODY else will.
How do you do this with iptables?
Many thanks.
-
Zoredache about 12 yearsYour DNS server may also have ACL support for setting restrictions based on various criteria.
-
-
gparent about 12 yearsEdited your answer to add TCP ports, pending review.
-
ale about 12 yearsAwesome.. very very nearly what I want :).. I have a secondary DNS though.. do I need to do something on that server too?
-
Kyle Smith about 12 yearsApproved, but I want to double-check this. I believe TCP is only used for IXFR/AXFR transfers?
-
gparent about 12 yearsI believe it is also used for any packets over a certain size. See wikipedia: "The Transmission Control Protocol (TCP) is used when the response data size exceeds 512 bytes, or for tasks such as zone transfers."
-
Kyle Smith about 12 yearsLooks like I'm wrong! Thanks for pointing this out, @gparent. DNS does a "renegotiation" to TCP for large responses.
-
gparent about 12 yearsGood to know, I wasn't sure of the exact details.
-
Kyle Smith about 12 yearsThat's why I contribute here, learn something new every day :-)
-
gparent about 12 years@ale: Your secondary DNS probably needs to talk to your primary DNS in addition to the IPs you already specify, but that should be it.