Skip to main content
We’ve updated our Terms of Service. A new AI Addendum clarifies how Stack Overflow utilizes AI interactions.
Server Fault

Return to Question

fixed case, and removed superfluous comment that may not get them answers
Source Link
edit approved Mar 4, 2013 at 11:48
Akber Choudhry
edit approved Mar 4, 2013 at 11:48
Akber Choudhry
  • 254
  • 1
  • 11

I have to manage one server with Open DNS service on. Recently, it was heavily abused for ddos dns amplification attacks by unknown internet attackers. This DNS service is used by some localhost programs and intranet clients in a way, I don't fully understand, that is why I am afraid of any reconfigurations to the DNS service itself. However I thought that if I deny all dns requestDNS requests from outer internet, it may solve my problems.

My questions are:

  1. How to deny all DNS requests from outer internet using iptables, leaving localhost and intranet (IP: 10.0.0.X and 10.0.1.X) intact?

  2. Won't it harm usability of DNS service from intranet?

  3. Won't it harm usability of other internet services (web+mail+db) on the server?

As you can see, I am highly inexperienced with iptables and theory about DNS.

All currently used domains by our websites are managed by another company on their server, nobody from outer internet should need access to our DNS service up to my knowledge.

Thank you.

I have to manage one server with Open DNS service on. Recently, it was heavily abused for ddos dns amplification attacks by unknown internet attackers. This DNS service is used by some localhost programs and intranet clients in a way, I don't fully understand, that is why I am afraid of any reconfigurations to the DNS service itself. However I thought that if I deny all dns request from outer internet, it may solve my problems.

My questions are:

  1. How to deny all DNS requests from outer internet using iptables, leaving localhost and intranet (IP: 10.0.0.X and 10.0.1.X) intact?

  2. Won't it harm usability of DNS service from intranet?

  3. Won't it harm usability of other internet services (web+mail+db) on the server?

As you can see, I am highly inexperienced with iptables and theory about DNS.

All currently used domains by our websites are managed by another company on their server, nobody from outer internet should need access to our DNS service up to my knowledge.

Thank you.

I have to manage one server with Open DNS service on. Recently, it was heavily abused for ddos dns amplification attacks by unknown internet attackers. This DNS service is used by some localhost programs and intranet clients in a way, I don't fully understand, that is why I am afraid of any reconfigurations to the DNS service itself. However I thought that if I deny all DNS requests from outer internet, it may solve my problems.

My questions are:

  1. How to deny all DNS requests from outer internet using iptables, leaving localhost and intranet (IP: 10.0.0.X and 10.0.1.X) intact?

  2. Won't it harm usability of DNS service from intranet?

  3. Won't it harm usability of other internet services (web+mail+db) on the server?

All currently used domains by our websites are managed by another company on their server, nobody from outer internet should need access to our DNS service up to my knowledge.

Thank you.

Source Link
David162795
David162795
  • 145
  • 2
  • 9

How to disable access to DNS server from internet, leaving intranet intact? Using iptables

I have to manage one server with Open DNS service on. Recently, it was heavily abused for ddos dns amplification attacks by unknown internet attackers. This DNS service is used by some localhost programs and intranet clients in a way, I don't fully understand, that is why I am afraid of any reconfigurations to the DNS service itself. However I thought that if I deny all dns request from outer internet, it may solve my problems.

My questions are:

  1. How to deny all DNS requests from outer internet using iptables, leaving localhost and intranet (IP: 10.0.0.X and 10.0.1.X) intact?

  2. Won't it harm usability of DNS service from intranet?

  3. Won't it harm usability of other internet services (web+mail+db) on the server?

As you can see, I am highly inexperienced with iptables and theory about DNS.

All currently used domains by our websites are managed by another company on their server, nobody from outer internet should need access to our DNS service up to my knowledge.

Thank you.