DNS server question

Hey @sstevewi. It would be dangerous to configure a Linode to only use our name servers (resolvers) for DNS, and this is something you’re unable to do. Doing this would make you vulnerable to a “Man in the Middle Attack.” The IP addresses tied to these domains resolve to a 3rd party, and are unlikely to change.

@Jbounmasy --

I was asking in the context of a firewall…not name resolution. I currently have all DNS traffic blocked except to/from these addresses:

ns1.linode.com = 162.159.27.72, 2400:cb00:2049:1::a29f:1a63
ns2.linode.com = 162.159.24.39, 2400:cb00:2049:1::a29f:1827
ns3.linode.com = 162.159.25.129, 2400:cb00:2049:1::a29f:1981
ns4.linode.com = 162.159.26.99, 2400:cb00:2049:1::a29f:1b48
ns5.linode.com = 162.159.24.25, 2400:cb00:2049:1::a29f:1819

These are all Cloudflare addresses.

My set of resolvers is set to:

search members.linode.com

because that's what DHCP set them to…

Like every other linode, mine is subject to lots of port scanning by some very bad actors. My purpose in implementing these restrictions is to try to prevent certain kinds of DNS attacks.

Here's an (tcpdump(1)) example of a block I captured just a few minutes ago from a domain in Slovakia (…prob a Russian proxy…my IP address is replaced by XXX.XXX.XXX.XXX):

00:00:00.000000 rule 2/0(match): block in on vtnet0: 107.189.13.63.51410 > XXX.XXX.XXX.XXX.53: 27+ ANY? pizzaseo.com. (30)

Here's an example from a Turkish proxy operating in the Netherlands (that engages in relentless port scanning):

00:06:46.272074 rule 2/0(match): block in on vtnet0: 185.53.90.85.43352 > XXX.XXX.XXX.XXX.53: 13551+ TXT CHAOS? VERSION.BIND. (30)

If I don't need to do this, that would be welcome news. The restrictions are easy to remove. I wish you guys would set up DNSSEC…

-- sw

Use Unbound for the DNS, no need to use other. I have done that for 5+ years now.

@Tntdruid --

Thanks for the reply… Can you offer some more details about how to do this? I have unbound(8) running on my server. Thanks in advance

-- sw