Re: Adding subnet to firewalld drop zone

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi.

Am Mittwoch, den 08.08.2018, 22:27 +0100 schrieb Danny Horne via users:
> Hi all,
> 
> I've been trying to add a subnet to my firewalld drop zone because
> queries from this subnet have been filling up my named logs and I've
> had enough!!
> 
> Based on research these are some assumptions I've made -
> 
> Adding a subnet to a zone makes it an active zone
> Zones with subnets take precedence over those with interfaces
> attached
> connection refused resolving
> '243.32.237.94.bb.barracudacentral.org/A/IN': 64.235.145.15#53 << In
> this example 64.235.145.15 is the source IP (am I right?)

No, this is the queried DNS. It is the authoritative NS for the Domain
barracudacentral.org.

Seems to be some kind of reverse entry which does not resolve
correctly. The Source for the query is not mentioned. The authotitative
can not resolve this query (tested) and therefore the query is answered
with code NXDOMAIN.

> This is what I've done to try and achieve what I want -
> 
> firewall-cmd --permanent --zone=drop --add-source=64.235.144.0/20
> (I've
> researched this, subnet is correct)
> firewall-cmd --reload
> 
> I'm still getting queries to my DNS servers from this subnet though,
> what have I missed?

You have to find out whi issues the query. I would disable recursion at
all except for the internal network.

Find out who queries this domains and answer witth NXDOMAIN, disabling
recursion would do thos. Blocking DNS queries if you are authotitative
for internet domains is generally a very bad idea.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx/message/PPAEVRJO5ANPEQDVQ34QI4VU2CV6R5FC/
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux