Hello, i have a very high and anormally traffic outbound UDP in port 53, i see in my external pfsense many connections from my virtualmin server to many ip’s in UDP 53 outbound, i have a little web and mail server config in my virtualmin (aprox. ±30 domains) with bind server configured, i know that can i not close this port because my domains need dns to work, but i think if i close my bind only to parent dns server or something like that can i close this high traffic UDP that I’m suffering right now.
Please, any help to block my dns server or go out this traffic ???
We expose our master servers to our slaves, and the slaves then process public queries.
In order to restrict things in this manner, it’s as easy as setting up a firewall rule.
Inside the rule, simply specify:
Source address or network Equals 111.222.333.444
This is specified under the “Condition details” section.
*** you can establish a basic firewall by using the “Reset firewall” button on: “Virtualmin > Networking > Linux FIrewall” then adjust things from there. ***
When you have a DNS server responding to both queries from localhost, and to public queries, you pretty much have to configure Bind to use two different “views”. The internal view accepts connections only from localhost and other trusted clients; and allows recursion.
view “internal” {
match-clients { 127.0.0.1; };
recursion yes;
notify no;
allow-query { any; }; allow-transfer { any; };
zone “localhost” { type master; file “/etc/bind/db.local”; };
zone “127.in-addr.arpa” { type master; file “/etc/bind/db.127”; };
zone “0.in-addr.arpa” { type master; file “/etc/bind/db.0”; };
zone “255.in-addr.arpa” { type master; file “/etc/bind/db.255”; };
zone “10.in-addr.arpa” { type master; file “/etc/bind/db.10”; };
};
and the external view prohibits recursive responses to the public
view “external” {
match-clients { any;};
recursion no;
additional-from-auth yes; additional-from-cache no;
notify yes;
allow-query { any; };
allow-transfer { key xfers.; 127.0.0.1; };
You’ll get eaten alive if you permit public recursive queries.
ns1.tpndns.com and ns2.tpndns.com are dedicated boxes setup specifically for serving the public and technically serve up “slave zones”.
To ensure the public is not attempting to poll “web1.tpnservers.com”, we use a set of firewall rules which only permit communication between our two “slave” machines and the “master”. Further, when we publish “nameservers” at the registrar, we publish the two “slave” machines therefore never exposing the “master”.
This setup has been flawlessly in place for over 3 years, and our “masters” have never been polled from the public given their firewalled state.
If you’d like to discuss this type of setup further, please feel free to contact me at: pknowles@tpnsolutions.com
Peter’s solution is very good if you have other hosts to serve the public queries. Notice that his domain’s NS records don’t even list the master
With that setup, bind can be configured to reject all queries other than from the slaves (and probably is), but with the firewall protection the master doesn’t even receive queries to drop