Blocking DNS addresses from general use

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M.MStephenSmithischis@evergreen.com at <-
MMMikeSheldonmsheldon@desertraven.com at ->
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Stephen Smith
Date:  
Subject: Blocking DNS addresses from general use
Ok, why would I want to block using both IP Chains and at the DNS query level? What
I have is a server that has a public IP address that I don't want to server the
general public.

Stephen

>
> On Mon, 20 Mar 2000, Stephen Smith wrote:
>
> > I want to accept DNS server use from a range of IP addresses. How do I do that?
> >
> > I tried using IPChains - accepting from certain subnets and denying everyone else.
> > But that blocked the lookups from the other servers.
>
> # Undefine LOCALNET if there is no network card
> LOCALNET=10.1.1.0
> INTIP=10.1.1.96
> EXTIP=192.168.1.90
>
> # Find out what nameservers we use
> NAMESERVERS=`awk '($1 ~ "nameserver") {print $2}' < /etc/resolv.conf`
> 
> if [ -z "$NAMESERVERS" ]
> then
>         ipchains -A ext-in -j ACCEPT -p TCP -d 0/0 53
>         ipchains -A ext-in -j ACCEPT -p UDP -d 0/0 53
> else
>  for NAMESERVER in ${NAMESERVERS} ; do
>         ipchains -A ext-in -j ACCEPT -p TCP -s $NAMESERVER -d $EXTIP 53
>         ipchains -A ext-in -j ACCEPT -p UDP -s $NAMESERVER -d $EXTIP 53
>  done
> fi

>
> # for internal use of dns services
> ipchains -A int-in -j ACCEPT -p TCP -s $LOCALNET/24 -d $INTIP 53
> ipchains -A int-in -j ACCEPT -p UDP -s $LOCALNET/24 -d $INTIP 53
>
> # ext-in is the input chain for the external interface
> # int-in is the input chain for the internal interface
>
> Don't forget the dns stuff that Mike suggested as well.
>
> If you throw a "-l" on the end of all of the above ipchains commands you
> should see ACCEPTs in the logs when queries are made. Also don't forget
> that dns queries to port 53 in both TCP and UDP from either above 1023 or
> from port 53.
>
> ciao,
> 
> der.hans
> --
> # +++++++++++=================================+++++++++++ #
> #                    www.excelco.com #
> #            http://home.pages.de/~lufthans/              #
> #   I'm not anti-social, I'm pro-individual. - der.hans   #
> # ===========+++++++++++++++++++++++++++++++++=========== #

>
> _______________________________________________
> Plug-discuss mailing list -
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss


This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-Blocking DNS addresses from general useBlocking DNS addresses from general use->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)