2014-03-02 3:04 GMT+08:00 /dev/rob0 <[email protected]>: > On Sat, Mar 01, 2014 at 03:35:25PM +0000, Phil Mayers wrote: >> On 01/03/2014 14:30, Chuck Anderson wrote: >> >> >How should these rules be changed to adhere to the Best Practices >> >while not breaking anything and still allowing the servers to do >> >their own DNS lookups? I know theoretically how I would do this, >> >but I'm looking for others' experiences. >> >> There are probably an arbitrary number of ways to skin this cat. > > Yes, and here's another. :) (Also Linux-specific.) > > In my view there's no point in Linux connection tracking for UDP DNS > queries. A typical UDP "connection" is two packets: a query going > out, and an answer coming back. And as I have seen, a busy named > server can have lots of these entries in its conntrack table. Each > entry requires kernel-space memory of course, and each entry counts > against the total number of entries that the table can accommodate. > > Therefore my approach is to use the raw table to keep these > "connections" out of conntrack altogether. > > The following sample ruleset is obviously incomplete; there is no > filtering being done. > > root@tp:~# iptables-save > # Generated by iptables-save v1.4.20 on Sat Mar 1 12:42:55 2014 > *filter > :INPUT ACCEPT [1:324] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [2:104] > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED,UNTRACKED -j ACCEPT > COMMIT > # Completed on Sat Mar 1 12:42:55 2014 > # Generated by iptables-save v1.4.20 on Sat Mar 1 12:42:55 2014 > *raw > :PREROUTING ACCEPT [96:19019] > :OUTPUT ACCEPT [118:13918] > -A PREROUTING -p udp -m udp --dport 53 -m comment --comment "do not track > outbound DNS queries on UDP" -j NOTRACK > -A PREROUTING -p udp -m udp --sport 53 -m comment --comment "do not track > inbound DNS replies on UDP" -j NOTRACK > -A OUTPUT -p udp -m udp --dport 53 -m comment --comment "do not track > outbound DNS queries on UDP" -j NOTRACK > -A OUTPUT -p udp -m udp --sport 53 -m comment --comment "do not track inbound > DNS replies on UDP" -j NOTRACK
The NOTRACK module is deprecating in kernel, the equivalent usage is: -A PREROUTING -p udp -m udp --dport 53 -j CT --notrack > COMMIT > # Completed on Sat Mar 1 12:42:55 2014 > > Note that in the filter table, only one rule is required to do all > conntrack-based acceptance. The example above is for a ruleset on a > named server, but if this was for a firewall in front of a named > server, you would need that rule in FORWARD, not INPUT. > > Note also: NOTRACK and DNAT are exclusive. If you're wanting to do > this on a NAT router, forget it. For now, increase the size of your > conntrack table as much as necessary; later, get it set up without > the NAT. > > Moving on to the raw table, note that each rule is commented to be > descriptive. > > IMO this is the best approach to use on or for machines which are > primarily recursive nameservers, and it probably would not hurt > authoritative servers, either. > -- > http://rob0.nodns4.us/ > Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > [email protected] > https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
