Iptables configuration for BIND server

[bkesting]

Hello,

I am running a BIND 9.3.2 nameserver to host my own domain. It is running smoothly and queries requests like a champ. This machine has a public IP and I would like to use iptables to lock it down. When I run my iptables script, I think the nameserver is still resolving for people outside my network and zone transfers to secondary servers (outside my network) seem to be working, but when I try to run a dig or nslookup locally on the nameserer, it times out. If I flush my iptables rules, then the local commands work fine. Can someone point out to me what might be wrong? Here are the commands I am running in my script:

# allow outside dns requests
iptables -A INPUT -s 0/0 -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -s 0/0 -p udp --dport 53 -j ACCEPT

# allow ssh connection from local network
iptables -A INPUT -s 192.168.0.0/16 -p tcp --dport 22 -j ACCEPT

# allow icmp traffic
iptables -A INPUT -s 0/0 -p icmp -j ACCEPT

# block all other traffic
iptables -A INPUT -s 0/0 -p all -j DROP

 

[bkesting]

Adding

query-source address * port 53;

to my named.conf file and adding:

iptables -A INPUT -i lo -j ACCEPT

seems to have resolved my issue.

 

[Kreichek]

Isn't it better if you used the allow-query statement in named.conf to control the access to your server rather than dealing with much more complex iptables rules?

---
Jordan Jordanov
Network administrator
Faculty of German Engineering Education and Industrial Management
Technical University of Sofia, Bulgaria

 

[elgrandeperro]

That is what I do on my corporate site. Just allow 53 tcp/udp inbound and let the named.conf handle it with allow and acls statements.

a) one location for the config
b) you only need to peruse one log for problems.

gene

 

[bkesting]

Thanks for the advice