IPTABLES and DNS - Security

This is a discussion on IPTABLES and DNS - Security ; Group; I have a home server running CentOS 4.4, DHCP, DNS, SMB, and a genealogy program. When I turn on the firewall my DNS seems to go away. My PC's (windows and Ubuntu) can't get the addresses and time out. ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: IPTABLES and DNS

  1. IPTABLES and DNS

    Group;

    I have a home server running CentOS 4.4, DHCP, DNS, SMB, and a genealogy
    program.

    When I turn on the firewall my DNS seems to go away. My PC's (windows and
    Ubuntu) can't get the addresses and time out.

    I figured that DNS would not be bothered by the firewall, but I have proved
    this wrong.

    I used lokkit to open port 53 but that didn't solve the problem.

    What do I need to do for my PC's to get DNS from this server with the
    firewall on?

    TNX

    Doug



  2. Re: IPTABLES and DNS

    Doug Holtz:

    > I figured that DNS would not be bothered by the firewall, but I have
    > proved this wrong.
    >
    > I used lokkit to open port 53 but that didn't solve the problem.


    Did you open port 53 TCP, UDP or both?

    Try to open both TCP and UDP if you didn't. You can do that by entering

    53:tcp 53:udp

    in the lokkit program.

    --
    English is not my native language, so please forgive any errors.


  3. Re: IPTABLES and DNS


    Hans Ericson wrote:
    > Doug Holtz:
    >
    > > I figured that DNS would not be bothered by the firewall, but I have
    > > proved this wrong.
    > >
    > > I used lokkit to open port 53 but that didn't solve the problem.

    >
    > Did you open port 53 TCP, UDP or both?
    >


    You are very right to ask this for testing; but keep in mind that a
    DNS server that only serves clients (and doesn't propagate records to
    other servers elsewhere) will only need UDP:53 open.


  4. Re: IPTABLES and DNS


    "Hans Ericson" wrote in message
    news:9IZ1i.310$Tk3.430@newsb.telia.net...
    > Doug Holtz:
    >
    >> I figured that DNS would not be bothered by the firewall, but I have
    >> proved this wrong.
    >>
    >> I used lokkit to open port 53 but that didn't solve the problem.

    >
    > Did you open port 53 TCP, UDP or both?
    >
    > Try to open both TCP and UDP if you didn't. You can do that by entering
    >
    > 53:tcp 53:udp
    >
    > in the lokkit program.
    >
    > --
    > English is not my native language, so please forgive any errors.
    >


    Hans;

    Yes, I did this. It seemed DNS was not being resolved. I just tried it
    again and it is working correctly - no delays asking for web sites I haven't
    been to in months.

    Thanks for the reply.

    doug



  5. Re: IPTABLES and DNS

    saucily wrote:
    > Hans Ericson wrote:
    >> Doug Holtz:
    >>
    >>> I figured that DNS would not be bothered by the firewall, but I have
    >>> proved this wrong.
    >>>
    >>> I used lokkit to open port 53 but that didn't solve the problem.

    >> Did you open port 53 TCP, UDP or both?
    >>

    >
    > You are very right to ask this for testing; but keep in mind that a
    > DNS server that only serves clients (and doesn't propagate records to
    > other servers elsewhere) will only need UDP:53 open.
    >


    That's not quite true. If the data returned is over the maximum
    size, a client will likely make a tcp request for the data.

  6. Re: IPTABLES and DNS

    On 15 May 2007, in the Usenet newsgroup comp.os.linux.security, in article
    <1179238438.285126.268650@l77g2000hsb.googlegroups. com>, saucily wrote:

    >Hans Ericson wrote:


    >> Doug Holtz:


    >>> I used lokkit to open port 53 but that didn't solve the problem.

    >>
    >> Did you open port 53 TCP, UDP or both?

    >
    >You are very right to ask this for testing; but keep in mind that a
    >DNS server that only serves clients (and doesn't propagate records to
    >other servers elsewhere) will only need UDP:53 open.


    1035 Domain names - implementation and specification. P.V.
    Mockapetris. November 1987. (Format: TXT=125626 bytes) (Obsoletes
    RFC0973, RFC0882, RFC0883) (Updated by RFC1101, RFC1183, RFC1348,
    RFC1876, RFC1982, RFC1995, RFC1996, RFC2065, RFC2136, RFC2181,
    RFC2137, RFC2308, RFC2535, RFC2845, RFC3425, RFC3658, RFC4033,
    RFC4034, RFC4035, RFC4343, RFC2137, RFC2845, RFC3425, RFC3658,
    RFC4035, RFC4033) (Also STD0013) (Status: STANDARD)

    DNS responses using UDP are limited in size to 512 octets (see paragraph
    2.3.4. "Size limits"). With some responses, there may be more data than
    will fit in 512 octets. In that case, the DNS server sets the "TC" or
    "TrunCation" flag, which specifies that this message was truncated due
    to length greater than that permitted on the transmission channel.
    Your resolver _MAY_ re-send the DNS query using TCP which has a far
    larger length restriction. Thus, both TCP _and_ UDP should be allowed
    through the firewall.

    Old guy

  7. Re: IPTABLES and DNS

    > 1035 Domain names - implementation and specification. P.V.
    > Mockapetris. November 1987. (Format: TXT=125626 bytes) (Obsoletes
    > RFC0973, RFC0882, RFC0883) (Updated by RFC1101, RFC1183, RFC1348,
    > RFC1876, RFC1982, RFC1995, RFC1996, RFC2065, RFC2136, RFC2181,
    > RFC2137, RFC2308, RFC2535, RFC2845, RFC3425, RFC3658, RFC4033,
    > RFC4034, RFC4035, RFC4343, RFC2137, RFC2845, RFC3425, RFC3658,
    > RFC4035, RFC4033) (Also STD0013) (Status: STANDARD)
    >
    > DNS responses using UDP are limited in size to 512 octets (see paragraph
    > 2.3.4. "Size limits"). With some responses, there may be more data than
    > will fit in 512 octets. In that case, the DNS server sets the "TC" or
    > "TrunCation" flag, which specifies that this message was truncated due
    > to length greater than that permitted on the transmission channel.
    > Your resolver _MAY_ re-send the DNS query using TCP which has a far
    > larger length restriction. Thus, both TCP _and_ UDP should be allowed
    > through the firewall.
    >
    > Old guy


    Wow, I had no idea; that's good to know!

    Sorry for the misinformation and thanks to both of you for setting me
    straight!


  8. Re: IPTABLES and DNS


    "Moe Trin" wrote in message
    news:slrnf4k40o.ql4.ibuprofin@compton.phx.az.us...
    > On 15 May 2007, in the Usenet newsgroup comp.os.linux.security, in article
    > <1179238438.285126.268650@l77g2000hsb.googlegroups. com>, saucily wrote:
    >
    >>Hans Ericson wrote:

    >
    >>> Doug Holtz:

    >
    >>>> I used lokkit to open port 53 but that didn't solve the problem.
    >>>
    >>> Did you open port 53 TCP, UDP or both?

    >>
    >>You are very right to ask this for testing; but keep in mind that a
    >>DNS server that only serves clients (and doesn't propagate records to
    >>other servers elsewhere) will only need UDP:53 open.

    >
    > 1035 Domain names - implementation and specification. P.V.
    > Mockapetris. November 1987. (Format: TXT=125626 bytes) (Obsoletes
    > RFC0973, RFC0882, RFC0883) (Updated by RFC1101, RFC1183, RFC1348,
    > RFC1876, RFC1982, RFC1995, RFC1996, RFC2065, RFC2136, RFC2181,
    > RFC2137, RFC2308, RFC2535, RFC2845, RFC3425, RFC3658, RFC4033,
    > RFC4034, RFC4035, RFC4343, RFC2137, RFC2845, RFC3425, RFC3658,
    > RFC4035, RFC4033) (Also STD0013) (Status: STANDARD)
    >
    > DNS responses using UDP are limited in size to 512 octets (see paragraph
    > 2.3.4. "Size limits"). With some responses, there may be more data than
    > will fit in 512 octets. In that case, the DNS server sets the "TC" or
    > "TrunCation" flag, which specifies that this message was truncated due
    > to length greater than that permitted on the transmission channel.
    > Your resolver _MAY_ re-send the DNS query using TCP which has a far
    > larger length restriction. Thus, both TCP _and_ UDP should be allowed
    > through the firewall.
    >
    > Old guy


    O G;

    Thanks to you and Chris for this tcp / udp explanation.

    Doug



+ Reply to Thread