My firewall blocks DNS
New Linode user here. I've set up Debian 11 on a Linode and configured a firewall to block most traffic but allow DNS inbound and outbound. This is using the default settings for accept-inbound-DNS
and accept-outbound-DNS
on the firewall configuration page and which specifies port 53. /etc/resolv.conf
looks like
hbarta@hankbarta:~$ cat /etc/resolv.conf
# Generated by Linode Network Helper
# Mon Dec 20 22:07:09 2021 UTC
#
# This file is automatically generated on each boot with your Linode's
# current network configuration. If you need to modify this file, please
# first disable the 'Auto-configure Networking' setting within your Linode's
# configuration profile:
# - https://cloud.linode.com/linodes/33005916/advanced
#
# For more information on Network Helper:
# - https://www.linode.com/docs/platform/network-helper
#
# A backup of the previous config is at /etc/.resolv.conf.linode-last
# A backup of the original config is at /etc/.resolv.conf.linode-orig
#
domain members.linode.com
search members.linode.com
nameserver 66.175.211.5
nameserver 207.192.69.5
nameserver 50.116.62.5
options rotate
hbarta@hankbarta:~$ cat /etc/.resolv.conf.linode-orig
search members.linode.com
nameserver 1.1.1.1
nameserver 1.0.0.1
If I temporarily disable the firewall, DNS works so I'm pretty sure it is the firewall. What do I need to do differently to get this to work?
Thanks!
2 Replies
You need to modify your firewall configuration to not block DNS -- allow port 53, in or out, tcp and udp.
Since you're using Debian, you'll have to modify your ipfilter rule set. You'll have to figure out how to do that on your own.
-- sw
Yes, thanks.
I have my firewall rules set at https://cloud.linode.com/firewalls/37660.
I have not configured any rules for my host.
The firewall rules (in order)
Inbound:
- accept SSH, Port 22, All IPv4, All IPv6
- accept ICMP, All IPv4, All IPv6
- Accept DNS Port 53, All IPv4, All IPv6
Default Drop
Outbound
- accept SSH, Port 22, All IPv4, All IPv6
- accept HTTP, Port 80, All IPv4, All IPv6
- accept HTTPS, Port 443, All IPv4, All IPv6
- Accept DNS Port 53, All IPv4, All IPv6
- Accept ICMP All IPv4, All IPv6
Default Drop
I haven't configured a firewall on my host since I'm using the one listed above. If I disable that, DNS works. If I leave it enabled and change the outbound rules to Default Accept, DNS works.
I suppose I don't need to block outbound traffic.