|
If you are hosting your own DNS servers, which since they cannot resolve email when you block DNS, you probably are. Then you need to allow udp 53 to come in to those DNS boxes. Do you want to restrict DNS use from your clients to your internal DNS servers?
If so just:
iptables –A FORWARD –s <dns server> -p udp –dport 53 –j ACCEPT
if you are natting and need to allow DNS forwarding just:
iptables –t nat –A PREROUTING –p udp –I <incoming interface> -d <incoming interface ip> --dport 53 -j DNAT –to-destination <DNS IPADDR:53>
-----Original Message-----
Does anyone know how to block the use of a DNS server (udp port 53) from outside, but still have external mail be able to resolve addresses? Here is what I tried ( xxx.xxx.xxx.0 is our external net that the dns server is on) iptables -A INPUT -s xxx.xxx.xxx.0/24 -p udp -j LOG
--log-prefix "XXX LOCAL UDP DNS XXX " DNS requests from our machines works with the rules above, but here is the message a remote system gets when someone mails us: Aug 11 10:33:52 remotemachine sendmail[16732]: h7BFVAAR016730: to=<len@xxxxxxxxxxxxxxxxxxxxx>, ctladdr=<someone@xxxxxxxxxxxxxxxx> (0/0), delay=00:01:49, xdelay=00:01:49, mailer=esmtp, pri=30344, relay=machine.ourdomain.com., dsn=4.0.0, stat=Deferred: Name server: machine.ourdomain.com.: host name lookup failure
Len Laulainen |
