DNS server question

Can I restrict my Linode's DNS traffic to be to/from the Linode DNS servers:

  • ns1.linode.com
  • ns2.linode.com
  • ns3.linode.com
  • ns4.linode.com
  • ns5.linode.com

only and still expect my Linode to operate properly? Do the IP addresses for these domain names change at all (I would expect not)? If so, how frequently?

Thanks in advance…

-- sw

4 Replies

Hey @sstevewi. It would be dangerous to configure a Linode to only use our name servers (resolvers) for DNS, and this is something you’re unable to do. Doing this would make you vulnerable to a “Man in the Middle Attack.” The IP addresses tied to these domains resolve to a 3rd party, and are unlikely to change.

@Jbounmasy --

I was asking in the context of a firewall…not name resolution. I currently have all DNS traffic blocked except to/from these addresses:

ns1.linode.com =, 2400:cb00:2049:1::a29f:1a63
ns2.linode.com =, 2400:cb00:2049:1::a29f:1827
ns3.linode.com =, 2400:cb00:2049:1::a29f:1981
ns4.linode.com =, 2400:cb00:2049:1::a29f:1b48
ns5.linode.com =, 2400:cb00:2049:1::a29f:1819

These are all Cloudflare addresses.

My set of resolvers is set to:

search members.linode.com

because that's what DHCP set them to…

Like every other linode, mine is subject to lots of port scanning by some very bad actors. My purpose in implementing these restrictions is to try to prevent certain kinds of DNS attacks.

Here's an (tcpdump(1)) example of a block I captured just a few minutes ago from a domain in Slovakia (…prob a Russian proxy…my IP address is replaced by XXX.XXX.XXX.XXX):

00:00:00.000000 rule 2/0(match): block in on vtnet0: > XXX.XXX.XXX.XXX.53: 27+ ANY? pizzaseo.com. (30)

Here's an example from a Turkish proxy operating in the Netherlands (that engages in relentless port scanning):

00:06:46.272074 rule 2/0(match): block in on vtnet0: > XXX.XXX.XXX.XXX.53: 13551+ TXT CHAOS? VERSION.BIND. (30)

If I don't need to do this, that would be welcome news. The restrictions are easy to remove. I wish you guys would set up DNSSEC…

-- sw

Use Unbound for the DNS, no need to use other. I have done that for 5+ years now.

@Tntdruid --

Thanks for the reply… Can you offer some more details about how to do this? I have unbound(8) running on my server. Thanks in advance

-- sw


Please enter an answer

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct