I have to manage one server with Open DNS service on. Recently, it was heavily abused for ddos dns amplification attacks by unknown internet attackers. This DNS service is used by some localhost programs and intranet clients in a way, I don't fully understand, that is why I am afraid of any reconfigurations to the DNS service itself. However I thought that if I deny all DNS requests from outer internet, it may solve my problems.
My questions are:
1) How to deny all DNS requests from outer internet using iptables, leaving localhost and intranet (IP: 10.0.0.X and 10.0.1.X) intact?
2) Won't it harm usability of DNS service from intranet?
3) Won't it harm usability of other internet services (web+mail+db) on the server?
All currently used domains by our websites are managed by another company on their server, nobody from outer internet should need access to our DNS service up to my knowledge.
Thank you.
Best Answer
The easiest way to remove access from the outside would be to block all external access to UDP (and possibly TCP) port 53, that will stop it serving requests outwards, but leave outgoing traffic to port 53 open, that way it can make recursive requests for your internal servers.
If you're going to offer a recursive nameserver to the internet, it's advisable that you know a good deal about the security and configuration of your server. Otherwise, leave it to the professionals, or hosting services.