disabling stateful firewalls for DNS traffic

Phil Mayers p.mayers at imperial.ac.uk
Sat Mar 1 15:35:25 UTC 2014


On 01/03/2014 14:30, Chuck Anderson wrote:

> How should these rules be changed to adhere to the Best Practices
> while not breaking anything and still allowing the servers to do their
> own DNS lookups?  I know theoretically how I would do this, but I'm
> looking for others' experiences.

There are probably an arbitrary number of ways to skin this cat.

We ensure the DNS service runs on a separate IP to any other traffic on 
the box. We also ensure that inbound queries hit one IP, outbound go 
from another.

We then have something similar to this:

-A INPUT -d <auth/recursive service ip> -j DNS-QUERY
-A INPUT -d <recursive query-source>    -j DNS-REPLY

-A DNS-QUERY -f -j ACCEPT
-A DNS-QUERY -p udp --dport 53 -j ACCEPT
-A DNS-QUERY -p tcp --dport 53 -j ACCEPT
-A DNS-QUERY -p udp -j DROP
-A DNS-QUERY -p tcp -j DROP
-A DNS-QUERY -j ACCEPT

-A DNS-REPLY -p tcp --syn -j DROP
-A DNS-REPLY -p tcp --dport 0:1023 -j DROP
-A DNS-REPLY -p tcp -j ACCEPT
-A DNS-REPLY -p udp --dport 0:1023 -j DROP
-A DNS-REPLY -p udp -j ACCEPT
-A DNS-REPLY -j ACCEPT

The DNS-QUERY chain allows all traffic inbound to port 53 and fragments, 
and denies all other TCP/UDP. It permits all others, which is relatively 
open but you could lock this down to allowing ICMP etc. if you wanted.

The DNS-REPLY chain drops tcp syn and dst port <1024 tcp/udp. It then 
allows all TCP/UDP (including frags), which is needed as bind uses 
random query source ports. You could of course put DROP statements in 
higher up if you know you have non-bind processes listening on high(er) 
ports. Same comment as above for the final ACCEPT.

It should go without saying that -j LOG is an extremely bad idea; if you 
must do this, supplement it with a -m limit which is "light" state, one 
counter/timestamp per rule. Avoid -m hashlimit!

If you can't spare the 2 extra IPs for this, it should be obvious how to 
merge these two rulesets - split off into chains based on dport - but 
the IP separation has other advantages.

These are relatively open rules and in particular they have some weak 
spots around fragmentation attacks, but have a couple of advantages; 
they're completely stateless, easy to understand, and most importantly 
serve as part of a defense-in-depth; we use these rules, tcpwrappers, 
SELinux confinement, bind ACLs and network-level ACLs at our border to 
ensure it's all locked down.

The advice to not statefully process DNS traffic is excellent advice. 
Personal experience is that suddenly being a node which attackers try to 
reflect from can really ruin your day if you're stateful.


More information about the bind-users mailing list