Iptables – Allow DNS queries to bind in iptables

binddomain-name-systemiptables

I have a DNS server up and running with configured single DNS zone for example.com
The following command, ran on the server returns the configured DNS Zone records:

# dig example.com @ns1.example.com

;; QUESTION SECTION:
;example.com.         IN      A

;; ANSWER SECTION:
example.com.  10800   IN      A       10.0.0.1

;; AUTHORITY SECTION:
example.com.  10800   IN      NS      ns2.example.com.
example.com.  10800   IN      NS      ns1.example.com.

;; ADDITIONAL SECTION:
ns1.example.com. 10800 IN     A       10.0.0.1
ns2.example.com. 10800 IN     A       10.0.0.1

My /etc/hosts file:

127.0.0.1 example.com www.example.com
127.0.0.1 ns1.example.com ns2..example.com

When I try to query the DNS server from other server I get:
$ dig example.com @10.0.0.1

;; connection timed out; no servers could be reached

The actual public IP address of the server is substituted with 10.0.0.1
I believe that most probably the issue is caused by iptables filtration, since the DNS service responds to local queries.
Here are my iptables rules:

Chain INPUT (policy DROP 14 packets, 1498 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1      259  157K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
2      325 26717 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
3     287K  149M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
4    14721  872K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22
5      165  7988 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy DROP 48 packets, 2949 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1      259  157K ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
2     292K   46M ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:22
3    16605 1195K ACCEPT     udp  --  *      *       0.0.0.0/0            8.8.8.8             udp dpt:53
4      130  9822 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
5      430 18880 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443
6      342  148K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:80 state ESTABLISHED

I have tried to allow incoming/outgoing connections on port 53 both TCP and UDP using the following rules, but unfortunately the DNS service is still not reachable from the Internet:

iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -m conntrack --cstate NEW -j ACCEPT
iptables -A INPUT -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -p udp -m state --state NEW --dport 53 -j ACCEPT

Here is a TCPDUMP:

[root@localhost ~]# tcpdump port 53 and host {my_ip}
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
08:03:43.011650 IP {my_ip} > {server_hostname}.domain: Flags [S], seq 3026720770, win 29200, options [mss 1460,sackOK,TS val 396679618 ecr 0,nop,wscale 6], length 0
08:03:44.006447 IP {my_ip} > {server_hostname}.domain: Flags [S], seq 3026720770, win 29200, options [mss 1460,sackOK,TS val 396679718 ecr 0,nop,wscale 6], length 0
08:03:46.006615 IP {my_ip} > {server_hostname}.domain: Flags [S], seq 3026720770, win 29200, options [mss 1460,sackOK,TS val 396679918 ecr 0,nop,wscale 6], length 0
08:03:50.016643 IP {my_ip} > {server_hostname}.domain: Flags [S], seq 3026720770, win 29200, options [mss 1460,sackOK,TS val 396680319 ecr 0,nop,wscale 6], length 0
08:03:58.026589 IP {my_ip} > {server_hostname}.domain: Flags [S], seq 3026720770, win 29200, options [mss 1460,sackOK,TS val 396681120 ecr 0,nop,wscale 6], length 0
08:04:14.066598 IP {my_ip} > {server_hostname}.domain: Flags [S], seq 3026720770, win 29200, options [mss 1460,sackOK,TS val 396682724 ecr 0,nop,wscale 6], length 0
08:04:46.186714 IP {my_ip} > {server_hostname}.domain: Flags [S], seq 3026720770, win 29200, options [mss 1460,sackOK,TS val 396685936 ecr 0,nop,wscale 6], length 0
7 packets captured
7 packets received by filter
0 packets dropped by kernel

Any hints will be appreciated 🙂

Best Answer

I think i got your problem, iptables rules corresponding to OUTPUT chain is blocking udp 53 port traffic from interface which has been assigned 10.0.0.1 ip.

Please use the following command to allow outgoing DNS requests.

iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT

First update

Please check if bind is listening on all interface i.e named.conf has listen-on { any; };

Related Solutions

Iptables – http request via iptables –to-destination ip redirect results in no response

It sounds like you could have a routing problem. Check using tcpdump on both servers and pointing tcpdump with the -i option to the correct ethX device to check if packets are being sent through the right network device on server1 and these packets also arrive at server2.

tcpdump -i ethX host 1.1.1.1 and port 80

Could it be that the packets arrive at server2 but server2 doesn't know where to send the replies to? Does server2 have a correct default gateway configured?

Check it with

route -n

Iptables on CentOS 5.5; I want to allow snmp queries from a remote machine

As I understand your question you want this machine (the one, on which we fight with iptables) be able to sent traps to a remote server, right?

In that case, the interesting part is the OUTPUT chain, as it is, what regulates fate of packets originating in the box.

Debug step one: shut down iptables and verify that trap sending works. If it doesn't the problem is not with firewall configuration of the SNMP trap source. Do not proceed to step two until you have things working with iptables stopped.

Debug step two: grep -i /etc/services shows a plethora of entries for various SNMP-related things. You may either read the documentation and find out, on which ports your software communicates, or get ingenious. Assuming the latter add a line at the end of the OUTPUT chain configuration, that sends everything to LOGDROP chain. Then start iptables, verify that the rule is there in the OUTPUT chain and make a trap to be sent. Then take a look inside your /var/log/messages and you'll see an entry generated by the LOGDROP, which will tell you, that a packet from the local machine to the remote machine using protocol UDP, destined to port XXX has been dropped. Bingo!

Debug step three. Add to the OUTPUT chain rules (above the LOGDROP entry) a line, that ACCEPTs outgoing UDP packets (-p udp) to the remote server (-d <IP_ADDRESS>) on port XXX (--dport XXX) determined in Debug step three. Verify (iptables -L -n -v), that the rule is there. Make a trap to be sent and see it arrive safely at the destination. If it does not arrive, your software may communicate on more than one port, but then GOTO Debug step two. In the pathological case that you should determine large (dozens, hundreds...) ports being used by the software, and if your security policy permits that, you may just allow all (or all UDP) outgoing traffic from this box to the remote machine.

Profit ;)

Best Answer

Related Solutions

Iptables – http request via iptables –to-destination ip redirect results in no response

Iptables on CentOS 5.5; I want to allow snmp queries from a remote machine

Related Topic