'ufw allow Bind9' doesn't seem to add rules allowing Bind to receive DNS responses
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ufw |
Invalid
|
Undecided
|
Unassigned |
Bug Description
$ ufw --version
ufw 0.36
Copyright 2008-2015 Canonical Ltd.
$ lsb_release -d
Description: Ubuntu 18.04.4 LTS
I used 'ufw allow Bind9' to add rules allowing the Bind instance on my machine to work, but it looks like ufw only adds the following rules that allow DNS requests to come in to the server:
### tuple ### allow any 53 0.0.0.0/0 any 0.0.0.0/0 Bind9 - in
-A ufw-user-input -p tcp --dport 53 -j ACCEPT -m comment --comment 'dapp_Bind9'
-A ufw-user-input -p udp --dport 53 -j ACCEPT -m comment --comment 'dapp_Bind9'
Bind needs to generate DNS queries as well so that it can resolve what IP it should return to the DNS queries it receives, and it looks like the responses to these end up being blocked:
[UFW BLOCK] IN=ens38 OUT= MAC=00:
Should 'ufw allow Bind9' also include rules that allow packets in where the source port is 53 as well? Or should connection tracking cover this, or something?
Other files:
$ cat /etc/ufw/
[Bind9]
title=Internet Domain Name Server
description=The Berkeley Internet Name Domain (BIND) implements an Internet domain name server.
ports=53
$ cat /etc/bind/
acl clientips {
192.168.1.0/24;
localhost;
localnets;
};
options {
directory "/var/cache/bind";
recursion yes;
allow-query { clientips; };
forwarders {
8.8.8.8;
8.8.4.4;
};
forward only;
dnssec-enable yes;
dnssec-
auth-nxdomain no;
listen-on { 192.168.1.1; 127.0.0.1; };
};
Thank you for using ufw and reporting a bug. Sorry I just saw this now.
The simple syntax (eg, ufw allow Bind9) is only for ingress filtering (ingress) to specific ports, but you can specify the extended syntax for ingress or egress filtering.
That said, the default ufw configuration when enabled is default deny for incoming, with default allow for outgoing with connection tracking. With the log entry you gave, it could be that the connection tracking missed (perhaps due to a rules reload?).
In general, you shouldn't have to do anything, but if the packet was mangled in a manner that it isn't showing up with connection tracking or the system is mis-configured, you can do:
$ sudo ufw allow from 8.8.8.8 app Bind9