disabling stateful firewalls for DNS traffic

Chuck Anderson cra at WPI.EDU
Sat Mar 1 15:59:58 UTC 2014

On Sat, Mar 01, 2014 at 03:35:25PM +0000, Phil Mayers wrote:
> The DNS-QUERY chain allows all traffic inbound to port 53 and
> fragments, and denies all other TCP/UDP. It permits all others,
> which is relatively open but you could lock this down to allowing
> ICMP etc. if you wanted.
> The DNS-REPLY chain drops tcp syn and dst port <1024 tcp/udp. It
> then allows all TCP/UDP (including frags), which is needed as bind
> uses random query source ports. You could of course put DROP
> statements in higher up if you know you have non-bind processes
> listening on high(er) ports. Same comment as above for the final

Excellent.  This is exactly what I was looking for.  Thanks.

> rules, tcpwrappers, SELinux confinement, bind ACLs and network-level
> ACLs at our border to ensure it's all locked down.

To your point about higher-up non-bind processes listening on high(er)
ports, and also your SELinux comment, I've found the following to be
extremely valuable:

options {
        avoid-v4-udp-ports { 1935; 2605; 4321; 6514; range 8610 8614; };
        avoid-v6-udp-ports { 1935; 2605; 4321; 6514; range 8610 8614; };

That list of ports in particular is blocked by default SELinux rules
on RHEL, so not configuring the above causes occasional resolution
failures to be logged like this:

Jul 16 03:27:04 server named[1634]: dispatch 0x7f4acc5c1210: open_socket( -> permission denied: continuing

You can also find these problems by checking your
/var/log/audit/audit.log.  You can list all known SELinux ports like

semanage port -l

(but not all of them are blocked/problematic for BIND to use)

> The advice to not statefully process DNS traffic is excellent
> advice. Personal experience is that suddenly being a node which
> attackers try to reflect from can really ruin your day if you're
> stateful.


More information about the bind-users mailing list