On Sat, Mar 01, 2014 at 03:35:25PM +0000, Phil Mayers wrote: > On 01/03/2014 14:30, Chuck Anderson wrote: > > >How should these rules be changed to adhere to the Best Practices > >while not breaking anything and still allowing the servers to do > >their own DNS lookups? I know theoretically how I would do this, > >but I'm looking for others' experiences. > > There are probably an arbitrary number of ways to skin this cat.
Yes, and here's another. :) (Also Linux-specific.) In my view there's no point in Linux connection tracking for UDP DNS queries. A typical UDP "connection" is two packets: a query going out, and an answer coming back. And as I have seen, a busy named server can have lots of these entries in its conntrack table. Each entry requires kernel-space memory of course, and each entry counts against the total number of entries that the table can accommodate. Therefore my approach is to use the raw table to keep these "connections" out of conntrack altogether. The following sample ruleset is obviously incomplete; there is no filtering being done. root@tp:~# iptables-save # Generated by iptables-save v1.4.20 on Sat Mar 1 12:42:55 2014 *filter :INPUT ACCEPT [1:324] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [2:104] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED,UNTRACKED -j ACCEPT COMMIT # Completed on Sat Mar 1 12:42:55 2014 # Generated by iptables-save v1.4.20 on Sat Mar 1 12:42:55 2014 *raw :PREROUTING ACCEPT [96:19019] :OUTPUT ACCEPT [118:13918] -A PREROUTING -p udp -m udp --dport 53 -m comment --comment "do not track outbound DNS queries on UDP" -j NOTRACK -A PREROUTING -p udp -m udp --sport 53 -m comment --comment "do not track inbound DNS replies on UDP" -j NOTRACK -A OUTPUT -p udp -m udp --dport 53 -m comment --comment "do not track outbound DNS queries on UDP" -j NOTRACK -A OUTPUT -p udp -m udp --sport 53 -m comment --comment "do not track inbound DNS replies on UDP" -j NOTRACK COMMIT # Completed on Sat Mar 1 12:42:55 2014 Note that in the filter table, only one rule is required to do all conntrack-based acceptance. The example above is for a ruleset on a named server, but if this was for a firewall in front of a named server, you would need that rule in FORWARD, not INPUT. Note also: NOTRACK and DNAT are exclusive. If you're wanting to do this on a NAT router, forget it. For now, increase the size of your conntrack table as much as necessary; later, get it set up without the NAT. Moving on to the raw table, note that each rule is commented to be descriptive. IMO this is the best approach to use on or for machines which are primarily recursive nameservers, and it probably would not hurt authoritative servers, either. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
