DNS Bind 9 and Iptables

Ok I have my name server working perfectly. Internally I can access any domain that I have authority (and a zone file). Externally I can do the same.

However the problem comes when internally I want to get the address of a non-authortive domain such as yahoo.com. It WILL work if I kill iptables, but soon as I bring up IP tables it won't work. Obviously there is an IP table output and input that needs to be set correctly for the named to talk with the other dns servers such as the root servers in the db.rootcache file.

Currently my iptables file looks like so (using lokkit to create the file then I manualy edit it since the last time I used a linux firewall was with ipchains).


# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
# firewall; such entries will *not* be listed here.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A FORWARD -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 53 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 53 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 10.0.0.220 --sport 53 -d 0/0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -j REJECT
COMMIT


So how do I open (and restrict) this server to allow recursive lookups ( I know the named.conf is correct because it works fine without iptables running). The only thing this computer does is authoritive DNS for 5 domains (no recursion externally) and will do authoritive and recursion for internal clients. And will accept SSH from an internal IP address (10.0.0.x). But that should be it.

Thanks for your help in advanced.

oh spiffy, I've never researched how to allow restricted recursion.

*researches for 5 min*

darn, it turned out to be really simple.

****************************************************
allow-recursion

Specifies which hosts are allowed to make recursive queries through this server. If not specified, the default is to allow recursive queries from all hosts. Note that disallowing recursive queries for a host does not prevent the host from retrieving data that is already in the server's cache.
****************************************************

Here's an example I made for ya:

options {
    # allow loopback and all private networks
    allow-recursion { 127/8; 192.168/16; 10/8; 172.16/12; };
};

--
As for iptables, I can't help ya since I'm no linux guru. But an overkill measure is allowing all UDP traffic incoming and outgoing. Not much harm in that.

Yes I have the recursion enabled. The named is actually working perfect. It's the dang IPTABLES that is restricting it down. Because when it has to serve an internal host on a non-authoritive lookup it has to ask a root server for help, and those will dish it off and etc. But that reply has to come back to the named through the firewall. And that is where it is dying. I'm guessing it's coming back on a non 53 tcp/udp port.

I did some packet sniffing while my BIND server resolved lookups. Try opening incoming port 1025 UDP.

You also should try sniffing or look at iptable logs to determine what ports you need to open. You should also look for an option where iptables will be more intelligent about this. My router blocks port 1025 UDP, but I still get my responses. This is cause the router detects the outgoing UDP packet and expects a response to the original source port.

Here is the fix for Bind9.

Since I allow port 53 to come in and I know that works, I just make all other things coming into and out of the DNS server also on port 53.

To do this you need to put this in your options section

query-source address * port 53;
notify-source * port 53;
transfer-source * port 53;


Hope this helps anyone that may come across the same problem.

oh duh, why didn't I think of that. :-(