Configure Firewall to Accept DNS Requests for Slave Zones

Home Page Forums Network Management Firewall, Traffic Shaping and Net Balancer Configure Firewall to Accept DNS Requests for Slave Zones

This topic contains 1 reply, has 0 voices, and was last updated by  derrick 4 years, 6 months ago.

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • #43821

    derrick
    Member

    Hello!

    I need help configuring Zeroshell to respond to DNS queries from the Internet and use local slave zones in responding.

    I have setup Zeroshell so that:

    ETH00 -> Internet
    ETH01 -> Intranet

    On the Intranet, I have a Windows 2008 Server that hosts a primary domain record for example.com. The domain record is setup to zone transfer to any server. On ZS, I have setup a slave zone for example.com and the Windows box as the master server. The zone transfers properly to ZS.

    When I run “nslookup example.com ” from within the Intranet everything works as expected. When I attempt the same lookup from the Internet the lookup fails with:

    DNS request timed out.
    timeout was 2 seconds.

    I tried adding the following accept rules to the firewall:

    Chain INPUT (policy ACCEPT 14279 packets, 4126K bytes)
    pkts bytes target prot opt in out source destination
    15084 4236K SYS_GUI all — * * 0.0.0.0/0 0.0.0.0/0
    15084 4236K SYS_INPUT all — * * 0.0.0.0/0 0.0.0.0/0
    0 0 SYS_HTTPS tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
    192 24038 SYS_HTTPS tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
    5 240 SYS_SSH tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
    0 0 ACCEPT udp — * * 0.0.0.0/0 0.0.0.0/0 udp spt:53

    Chain OUTPUT (policy ACCEPT 16127 packets, 14M bytes)
    pkts bytes target prot opt in out source destination
    16392 14M SYS_OUTPUT all — * * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT udp — * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53

    The above did not resolve my issue.

    I am not an expert in this domain by any means. I would greatly appreciate any helping properly configuring Zeroshell to accept the DNS queries and use the local slave zones in responding.

    Thank you!

    Sincerely,

    -Derrick

    #53104

    derrick
    Member

    This is not a ZS firewall issue at all. The DNS itself must be configured to accept clients from the Internet–which is not the default. I added 0.0.0.0/0 to the client list and the external test works as expected now. Excellent!

    I will leave this post up in case anyone else makes a similar mistake.

    It is worth asking if this is the best practice for providing DNS for example.com, which is intended to be shielded within the Intranet?

    #53105

    derrick
    Member

    Adding 0.0.0.0/0 as discussed above will add this network range to the “internal-in” view of the named.conf generated by Zeroshell. Recursion and other features are enabled in this view. This opens the instance up to DNS Amplification DDOS attacks: https://www.us-cert.gov/ncas/alerts/TA13-088A.

    Alternatively, I tried to add allow-query { 0.0.0.0/0; }; to DNS Options but this did not work. In /tmp/named.conf this was proceeded by allow-query { localclients; }; and I am not sure if this replaces the preceding option. I am still trying to figure out a proper solution.

    I am going to create a new post under the Networking forum.

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.