On Fri, Sep 30, 2016 at 11:55:18PM -0400, Larry Larson wrote: > I've followed instructions in this BIND Knowledge base article and > installed ip6tables on my DNS server, using raw table with no > conntrack for DNS: > https://kb.isc.org/article/AA-01183/0/Linux-connection-tracking-and-DNS.html
This is mostly for authoritative servers which must be open to queries from anywhere. Perhaps this is not a real issue, as it sounds like you might be setting up a recursive server? Of course, it CAN be a problem for recursive-only servers too; it just depends how many users and concurrent queries you need to support. If your userbase can flood your conntrack table, you need this. > But for IPv6 it drops fragmented packets, for example this query > fails once the ip6table is on: > dig +dnssec isc.org any @2001:500:60::30 Can you show us how you found out that it was affecting fragments? Is this query falling back to TCP? Do you have a pcap? > Everything works great for IPv4 with similar rules, can someone > help shed some light on what might be wrong: > > # Firewall configuration written by system-config-firewall A minor issue, the NOTRACK target is deprecated by CT with the --notrack option. (That's not the problem, however.) We can test things with a few TRACE rules. Let's add rules as follows: > *raw > :PREROUTING ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] -A PREROUTING -s 2001:500:60::30 -j TRACE -A PREROUTING -d 2001:500:60::30 -j TRACE > -A PREROUTING -p udp -m udp --dport 53 -j NOTRACK > -A PREROUTING -p udp -m udp --sport 53 -j NOTRACK -A OUTPUT -s 2001:500:60::30 -j TRACE -A OUTPUT -d 2001:500:60::30 -j TRACE > -A OUTPUT -p udp -m udp --dport 53 -j NOTRACK > -A OUTPUT -p udp -m udp --sport 53 -j NOTRACK > COMMIT > *filter > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED,UNTRACKED -j ACCEPT > -A INPUT -p ipv6-icmp -j ACCEPT > -A INPUT -i lo -j ACCEPT > #tcp dns > -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 53 -j ACCEPT > -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --sport 53 -j ACCEPT > -A INPUT -j REJECT --reject-with icmp6-adm-prohibited > -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited > COMMIT For TRACE rules to work the LOG module must be loaded. A quick, temporary way to do that: # ip6tables -A INPUT -i bogus -j LOG # ip6tables -D INPUT -i bogus -j LOG (That adds and then removes a no-op rule using the LOG target.) Then repeat your test, > dig +dnssec isc.org any @2001:500:60::30 on this machine. Then show us "ip6tables-save -c" along with all the "TRACE" lines from dmesg. A quick way which should work for that: # dmesg | grep TRACE After the test, you might want to disable those TRACE rules, in case you had other business with 2001:500:60::30 -- they can get very noisy, very quickly. Coincidentally, I happen to be working on this very issue, with a different approach: shortened TTL for conntrack entries for UDP DNS. It came up on the Netfilter mailing list recently. I'll be sure to post here when that (a documentation patch) is completed. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
