DNS server question
Can I restrict my Linode's DNS traffic to be to/from the Linode DNS servers:
only and still expect my Linode to operate properly? Do the IP addresses for these domain names change at all (I would expect not)? If so, how frequently?
Thanks in advance…
Hey @sstevewi. It would be dangerous to configure a Linode to only use our name servers (resolvers) for DNS, and this is something you’re unable to do. Doing this would make you vulnerable to a “Man in the Middle Attack.” The IP addresses tied to these domains resolve to a 3rd party, and are unlikely to change.
I was asking in the context of a firewall…not name resolution. I currently have all DNS traffic blocked except to/from these addresses:
ns1.linode.com = 184.108.40.206, 2400:cb00:2049:1::a29f:1a63 ns2.linode.com = 220.127.116.11, 2400:cb00:2049:1::a29f:1827 ns3.linode.com = 18.104.22.168, 2400:cb00:2049:1::a29f:1981 ns4.linode.com = 22.214.171.124, 2400:cb00:2049:1::a29f:1b48 ns5.linode.com = 126.96.36.199, 2400:cb00:2049:1::a29f:1819
These are all Cloudflare addresses.
My set of resolvers is set to:
because that's what DHCP set them to…
Like every other linode, mine is subject to lots of port scanning by some very bad actors. My purpose in implementing these restrictions is to try to prevent certain kinds of DNS attacks.
Here's an (tcpdump(1)) example of a block I captured just a few minutes ago from a domain in Slovakia (…prob a Russian proxy…my IP address is replaced by XXX.XXX.XXX.XXX):
00:00:00.000000 rule 2/0(match): block in on vtnet0: 188.8.131.52.51410 > XXX.XXX.XXX.XXX.53: 27+ ANY? pizzaseo.com. (30)
Here's an example from a Turkish proxy operating in the Netherlands (that engages in relentless port scanning):
00:06:46.272074 rule 2/0(match): block in on vtnet0: 184.108.40.206.43352 > XXX.XXX.XXX.XXX.53: 13551+ TXT CHAOS? VERSION.BIND. (30)
If I don't need to do this, that would be welcome news. The restrictions are easy to remove. I wish you guys would set up DNSSEC…