ufw

'ufw allow Bind9' doesn't seem to add rules allowing Bind to receive DNS responses

Bug #1874131 reported by unknown on 2020-04-21

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	ufw	Invalid	Undecided	Unassigned

Bug Description

$ ufw --version
ufw 0.36
Copyright 2008-2015 Canonical Ltd.

$ lsb_release -d
Description: Ubuntu 18.04.4 LTS

I used 'ufw allow Bind9' to add rules allowing the Bind instance on my machine to work, but it looks like ufw only adds the following rules that allow DNS requests to come in to the server:

### tuple ### allow any 53 0.0.0.0/0 any 0.0.0.0/0 Bind9 - in
-A ufw-user-input -p tcp --dport 53 -j ACCEPT -m comment --comment 'dapp_Bind9'
-A ufw-user-input -p udp --dport 53 -j ACCEPT -m comment --comment 'dapp_Bind9'

Bind needs to generate DNS queries as well so that it can resolve what IP it should return to the DNS queries it receives, and it looks like the responses to these end up being blocked:

[UFW BLOCK] IN=ens38 OUT= MAC=00:0c:29:e9:1f:45:10:05:ca:f7:fa:9c:08:00 SRC=8.8.8.8 DST=192.168.0.88 LEN=137 TOS=0x00 PREC=0x80 TTL=124 ID=31598 PROTO=UDP SPT=53 DPT=52910 LEN=117

Should 'ufw allow Bind9' also include rules that allow packets in where the source port is 53 as well? Or should connection tracking cover this, or something?

Other files:

$ cat /etc/ufw/applications.d/bind9
[Bind9]
title=Internet Domain Name Server
description=The Berkeley Internet Name Domain (BIND) implements an Internet domain name server.
ports=53

$ cat /etc/bind/named.conf.options
acl clientips {
    192.168.1.0/24;
    localhost;
    localnets;
};

options {
    directory "/var/cache/bind";
    recursion yes;
    allow-query { clientips; };
forwarders {
        8.8.8.8;
        8.8.4.4;
    };
    forward only;
    dnssec-enable yes;
    dnssec-validation auto;
    auth-nxdomain no;
    listen-on { 192.168.1.1; 127.0.0.1; };
};

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2020-06-23:

Thank you for using ufw and reporting a bug. Sorry I just saw this now.

The simple syntax (eg, ufw allow Bind9) is only for ingress filtering (ingress) to specific ports, but you can specify the extended syntax for ingress or egress filtering.

That said, the default ufw configuration when enabled is default deny for incoming, with default allow for outgoing with connection tracking. With the log entry you gave, it could be that the connection tracking missed (perhaps due to a rules reload?).

In general, you shouldn't have to do anything, but if the packet was mangled in a manner that it isn't showing up with connection tracking or the system is mis-configured, you can do:

$ sudo ufw allow from 8.8.8.8 app Bind9

Changed in ufw:
status:	New → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.