Configure Firewall to Accept DNS Requests for Slave Zones

Home Page Forums Network Management Firewall, Traffic Shaping and Net Balancer Configure Firewall to Accept DNS Requests for Slave Zones

  • This topic is empty.
Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • #43821
    derrick
    Member

    Hello!

    I need help configuring Zeroshell to respond to DNS queries from the Internet and use local slave zones in responding.

    I have setup Zeroshell so that:

    ETH00 -> Internet
    ETH01 -> Intranet

    On the Intranet, I have a Windows 2008 Server that hosts a primary domain record for example.com. The domain record is setup to zone transfer to any server. On ZS, I have setup a slave zone for example.com and the Windows box as the master server. The zone transfers properly to ZS.

    When I run “nslookup example.com ” from within the Intranet everything works as expected. When I attempt the same lookup from the Internet the lookup fails with:

    DNS request timed out.
    timeout was 2 seconds.

    I tried adding the following accept rules to the firewall:

    Chain INPUT (policy ACCEPT 14279 packets, 4126K bytes)
    pkts bytes target prot opt in out source destination
    15084 4236K SYS_GUI all — * * 0.0.0.0/0 0.0.0.0/0
    15084 4236K SYS_INPUT all — * * 0.0.0.0/0 0.0.0.0/0
    0 0 SYS_HTTPS tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
    192 24038 SYS_HTTPS tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
    5 240 SYS_SSH tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
    0 0 ACCEPT udp — * * 0.0.0.0/0 0.0.0.0/0 udp spt:53

    Chain OUTPUT (policy ACCEPT 16127 packets, 14M bytes)
    pkts bytes target prot opt in out source destination
    16392 14M SYS_OUTPUT all — * * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT udp — * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53

    The above did not resolve my issue.

    I am not an expert in this domain by any means. I would greatly appreciate any helping properly configuring Zeroshell to accept the DNS queries and use the local slave zones in responding.

    Thank you!

    Sincerely,

    -Derrick

    #53104
    derrick
    Member

    This is not a ZS firewall issue at all. The DNS itself must be configured to accept clients from the Internet–which is not the default. I added 0.0.0.0/0 to the client list and the external test works as expected now. Excellent!

    I will leave this post up in case anyone else makes a similar mistake.

    It is worth asking if this is the best practice for providing DNS for example.com, which is intended to be shielded within the Intranet?

    #53105
    derrick
    Member

    Adding 0.0.0.0/0 as discussed above will add this network range to the “internal-in” view of the named.conf generated by Zeroshell. Recursion and other features are enabled in this view. This opens the instance up to DNS Amplification DDOS attacks: https://www.us-cert.gov/ncas/alerts/TA13-088A.

    Alternatively, I tried to add allow-query { 0.0.0.0/0; }; to DNS Options but this did not work. In /tmp/named.conf this was proceeded by allow-query { localclients; }; and I am not sure if this replaces the preceding option. I am still trying to figure out a proper solution.

    I am going to create a new post under the Networking forum.

Viewing 3 posts - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.