Blocking DNS addresses from general use

Stephen Smith ischis@evergreen.com
Tue, 21 Mar 2000 09:45:02 -0700 

Ok, why would I want to block using both IP Chains and at the DNS query level?  What
I have is a server that has a public IP address that I don't want to server the
general public.

Stephen

> 
> On Mon, 20 Mar 2000, Stephen Smith wrote:
> 
> > I want to accept DNS server use from a range of IP addresses.  How do I do that?
> >
> > I tried using IPChains - accepting from certain subnets and denying everyone else.
> > But that blocked the lookups from the other servers.
> 
> # Undefine LOCALNET if there is no network card
> LOCALNET=10.1.1.0
> INTIP=10.1.1.96
> EXTIP=192.168.1.90
> 
> # Find out what nameservers we use
> NAMESERVERS=`awk '($1 ~ "nameserver") {print $2}' < /etc/resolv.conf`
> 
> if [ -z "$NAMESERVERS" ]
> then
>         ipchains -A ext-in -j ACCEPT -p TCP -d 0/0 53
>         ipchains -A ext-in -j ACCEPT -p UDP -d 0/0 53
> else
>  for NAMESERVER in ${NAMESERVERS} ; do
>         ipchains -A ext-in -j ACCEPT -p TCP -s $NAMESERVER -d $EXTIP 53
>         ipchains -A ext-in -j ACCEPT -p UDP -s $NAMESERVER -d $EXTIP 53
>  done
> fi
> 
> # for internal use of dns services
> ipchains -A int-in -j ACCEPT -p TCP -s $LOCALNET/24 -d $INTIP 53
> ipchains -A int-in -j ACCEPT -p UDP -s $LOCALNET/24 -d $INTIP 53
> 
> # ext-in is the input chain for the external interface
> # int-in is the input chain for the internal interface
> 
> Don't forget the dns stuff that Mike suggested as well.
> 
> If you throw a "-l" on the end of all of the above ipchains commands you
> should see ACCEPTs in the logs when queries are made. Also don't forget
> that dns queries to port 53 in both TCP and UDP from either above 1023 or
> from port 53.
> 
> ciao,
> 
> der.hans
> --
> # +++++++++++=================================+++++++++++ #
> #  der.hans@LuftHans.com                  www.excelco.com #
> #            http://home.pages.de/~lufthans/              #
> #   I'm not anti-social, I'm pro-individual. - der.hans   #
> # ===========+++++++++++++++++++++++++++++++++=========== #
> 
> _______________________________________________
> Plug-discuss mailing list  -  Plug-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss