The domain name service provided by BIND (named) software. It uses both UDP and TCP protocol and listen on port 53. DNS queries less than 512 bytes are transferred using UDP protocol and large queries are handled by TCP protocol such as zone transfer.
i) named/bind server – TCP/UDP port 53
ii)Client (browser, dig etc) – port > 1023
Allow outgoing DNS client request:
Following iptables rules can be added to your shell script.
SERVER_IP is your server ip address
DNS_SERVER stores the nameserver (DNS) IP address provided by ISP or your own name servers.
Following rules are useful when you run single web/smtp server or even DSL/LL/dialup Internet connections:
SERVER_IP="202.54.10.20" DNS_SERVER="202.54.1.5 202.54.1.6" for ip in $DNS_SERVER do iptables -A OUTPUT -p udp -s $SERVER_IP --sport 1024:65535 -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p udp -s $ip --sport 53 -d $SERVER_IP --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT-p tcp -s $SERVER_IP --sport 1024:65535 -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -s $ip --sport 53 -d $SERVER_IP --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT done
(B) Allow incoming DNS request at port 53:
Use following rules only if you are protecting dedicated DNS server.
SERVER_IP is IP address where BIND(named) is listing on port 53 for incoming DNS queries.
Please note that here I'm not allowing TCP protocol as I don't have secondary DNS server to do zone transfer.
SERVER_IP="202.54.10.20" iptables -A INPUT -p udp -s 0/0 --sport 1024:65535 -d $SERVER_IP --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p udp -s $SERVER_IP --sport 53 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -p udp -s 0/0 --sport 53 -d $SERVER_IP --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p udp -s $SERVER_IP --sport 53 -d 0/0 --dport 53 -m state --state ESTABLISHED -j ACCEPT
Please note if you have secondary server, add following rules to above rules so that secondary server can do zone transfer from primary DNS server:
DNS2_IP="202.54.10.2" iptables -A INPUT -p tcp -s $DNS2_IP --sport 1024:65535 -d $SERVER_IP --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp -s $SERVER_IP --sport 53 -d $DNS2_IP --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
You should follow me on twitter here or grab rss feed to keep track of new changes.
Featured Articles:
- 30 Handy Bash Shell Aliases For Linux / Unix / Mac OS X
- Top 30 Nmap Command Examples For Sys/Network Admins
- 25 PHP Security Best Practices For Sys Admins
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- Linux: 20 Iptables Examples For New SysAdmins
- Top 20 OpenSSH Server Best Security Practices
- Top 20 Nginx WebServer Best Security Practices
- 20 Examples: Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors
- 15 Greatest Open Source Terminal Applications Of 2012
- My 10 UNIX Command Line Mistakes
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- The Novice Guide To Buying A Linux Laptop
{ 4 comments… read them below or add one }
Hey buddy,
check out this line in your how to:
iptables -A OUTPUT-pPoor copy and pasters
Also say your running a name server and you need to communicate with any name servers:
IPADDR=xxx.xxx.xxx.xxx
UNPRIVPORTS="1024:65535"
iptables -A OUTPUT -p udp -s $IPADDR --sport $UNPRIVPORTS -d 0/0 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -s 0/0 --sport 53 -d $IPADDR --dport $UNPRIVPORTS -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $IPADDR --sport $UNPRIVPORTS -d 0/0 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 53 -d $IPADDR --dport $UNPRIVPORTS -m state --state ESTABLISHED -j ACCEPT
Hi guys, don’t know it is right place to post it but i’d like to ask does any of you know how to change that port 53 to port 25. Our profesors in scool gave us something like this to solve.
For pure and simple DNS client (not hosting DNS server and so on), I scripted it as follows:
for dnsserverip in `grep nameserver /etc/resolv.conf | sed 's/.* //'` ; do/usr/sbin/iptables -A INPUT -p udp --dport 53 -s $dnsserverip -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp --dport 53 -s $dnsserverip -m state --state NEW -j ACCEPT
done
I also have separate lines in my generic iptables script globally allowing “ESTABLISHED,RELATED”, negating the need for adding these parameters elsewhere.