​Hi,
Ruud Baart wrote:
> as I can see the DNSAmp macro does not work as I expect. Perhaps I do
something wrong.
>
> With the imperfect firewall rule I test the DNS recursive query:
>
> The rule:
> IPTABLES(DROP) wan1:!$TRUSTEDHOSTS lan1 udp 53 ; -m string --algo bm
--hex-string "|01000001|"
>
> This is what I expect: only queries for which the DNS server is
responsible are handled.
Mh? That sounds strange... are you saying you are expecting that iptables
should know "our DNS server is responsible for foo.tld and bar.tld. Queries
for any other domains should be dropped/rejected"?
How should that work?
Remember what the rule you quoted is doing: It is just matching for DNS
queries of the ANY type. In other words: Only queries from clients which
aren't $TRUSTEDHOSTS like
dig @dns.yourdomain.com isc.org ANY
will be dropped. But queries from any client like
dig @dns.yourdomain.com isc.org TXT
will be answered because the iptables rules will only match for DNS query
type "ANY".
I am not yet sure about shorewall's new DNSAmp action but it looks like it
is doing the same (just blocking *any* ANY query, which could be a problem
if you need ANY queries) using the u32 module for better performance.​
-
​-
Regards,
Igor
​
------------------------------------------------------------------------------
Slashdot TV.
Video for Nerds. Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
