Does anyone know how to block the use of a DNS server (udp port 53) from outside, but still have external mail be able to resolve addresses?
Here is what I tried ( xxx.xxx.xxx.0 is our external net that the dns server is on)
iptables -A INPUT -s xxx.xxx.xxx.0/24 -p udp -j LOG --log-prefix "XXX LOCAL UDP DNS XXX "
iptables -A INPUT -s xxx.xxx.xxx.0/24 -p udp -j ACCEPT
iptables -A INPUT -p udp -j LOG --log-prefix "XXX INPUT UDP LOG-drop XXX "
iptables -A INPUT -p udp -j DROP
DNS requests from our machines works with the rules above, but here is the message a remote system gets when someone mails us:
Aug 11 10:33:52 remotemachine sendmail[16732]: h7BFVAAR016730: to=<len@xxxxxxxxxxxxxxxxxxxxx>, ctladdr=<someone@xxxxxxxxxxxxxxxx> (0/0), delay=00:01:49, xdelay=00:01:49, mailer=esmtp, pri=30344, relay=machine.ourdomain.com., dsn=4.0.0, stat=Deferred: Name server: machine.ourdomain.com.: host name lookup failure
Len Laulainen
