I have an Ubuntu Server 12.04, with two network cards:
- eth0 is connected to the internet
- eth1 is connected to a private network (192.168.10.1)
The server is configured as a gateway and hosts DNS and DHCP fro the private network. Computers in the private network (say with IP address 192.168.10.50) can successfully connect to the internet.
The UFW rules look as follows:
Status: active
To Action From
-- ------ ----
22 ALLOW Anywhere
80 ALLOW Anywhere
443 ALLOW Anywhere
67/udp on eth1 ALLOW 68/udp
53 ALLOW Anywhere
22 ALLOW Anywhere (v6)
80 ALLOW Anywhere (v6)
443 ALLOW Anywhere (v6)
67/udp on eth1 ALLOW 68/udp
53 ALLOW Anywhere (v6)
Any internet user can query my DNS server. I'd like to block such requests as it poses a security risk. I reset the firewall, allowed access to ports 80, 443, 22 and typed the following to only permit devices on the private network to make DNS requests.
sudo ufw allow in on eth1 to 192.168.10.1 port 53
When type the following on a Windows computer (with ip address 192.168.10.50) in the private network:
nslookup google.com. 192.168.10.1
I get a response back that looks as follows:
DNS request timed out.
timeout was 2 seconds.
Server: Unknown
Address: 192.168.10.1
When I reset the firewall and allow access to port 53 from anywhere, everything works again.
sudo ufw allow 53
How does one configure UFW on 192.168.10.1 to
- block incoming DNS queries from the internet (aka eth0)
- allow computers in the private network to make dns queries
- allow the dns server on 192.168.10.1 to forward internal DNS requests to the internet
- work for both IPv4 and IPv6
Best Answer
In addition to blocking traffic at the UFW I would also limit connections on your DNS server. Assuming you're using BIND, something simliar to this: