Skip to end of metadata
Go to start of metadata



The document explains how to enable DNS queries to PBX in order to use it as DNS server from remote network.

Created: May 2018

Permalink: https://confluence.wildix.com/x/DQCIAQ

Starting from WMS Version 3.88.40477.20, DNS queries are blocked from all IP addresses except allowed networks by script dns_restrict and iptables rules.

This means, the PBX cannot be used as DNS server from remote network.

Allowed networks include:

  • 10.0.0.0/8
  • 100.64.0.0/10
  • 172.16.0.0/12
  • 192.168.0.0/16
  • and all local interfaces networks.

Dns_restrict can be started/stopped/restarted via /etc/init.d/dns_restrict start|stop|restart. After starting the daemon the following changes can be observed in iptables:

root@mstolyarenko:/home/admin# /etc/init.d/dns_restrict start
root@mstolyarenko:/home/admin# iptables -S 
...
bla-bla-bla
...
-A INPUT -i eth0 -p udp -m udp --dport 53 -m recent --update --seconds 1 --hitcount 100 --rttl --name dns_limit --rsource -j BLOCK 
-A INPUT -i eth0 -p udp -m udp --dport 53 -m recent --update --seconds 10 --hitcount 150 --rttl --name dns_limit --rsource -j BLOCK
-A INPUT -i eth0 -p udp -m udp --dport 53 -m recent --update --seconds 30 --hitcount 250 --rttl --name dns_limit --rsource -j BLOCK
-A INPUT -s 192.168.0.0/16 -p udp -m udp --dport 53 -j ACCEPT 
-A INPUT -s 172.16.0.0/12 -p udp -m udp --dport 53 -j ACCEPT 
-A INPUT -s 100.64.0.0/10 -p udp -m udp --dport 53 -j ACCEPT 
-A INPUT -s 10.0.0.0/8 -p udp -m udp --dport 53 -j ACCEPT 
-A INPUT -s 172.16.0.8/32 -p udp -m udp --dport 53 -j ACCEPT 
-A INPUT -s 128.0.0.0/2 -p udp -m udp --dport 53 -j ACCEPT 
-A INPUT -s 127.0.0.0/8 -p udp -m udp --dport 53 -j ACCEPT 
-A INPUT -i eth0 -p udp -m udp --dport 53 -m recent --set --name dns_limit --rsource -j DROP 
...
bla-bla-bla
...

root@mstolyarenko:/home/admin# /etc/init.d/dns_restrict stop 
To make changes persistant - modify /etc/default/dns_restrict and reboot.

root@mstolyarenko:/home/admin# iptables -S 
...
bla-bla-bla
...
-A INPUT -i eth0 -p udp -m udp --dport 53 -m recent --update --seconds 1 --hitcount 100 --rttl --name dns_limit --rsource -j BLOCK 
-A INPUT -i eth0 -p udp -m udp --dport 53 -m recent --update --seconds 10 --hitcount 150 --rttl --name dns_limit --rsource -j BLOCK
-A INPUT -i eth0 -p udp -m udp --dport 53 -m recent --update --seconds 30 --hitcount 250 --rttl --name dns_limit --rsource -j BLOCK
-A INPUT -i eth0 -p udp -m udp --dport 53 -m recent --set --name dns_limit --rsource -j ACCEPT 
...
bla-bla-bla
...

By default dns_restrict is started and DNS queries are blocked. To temporarily enable DNS queries, use the command /etc/init.d/dns_restrict stop.

To always allow DNS queries, it is necessary to make the following change in file /etc/default/dns_restrict:

dns_local=0

Then reboot PBX.


Not finding the help you need?
Join the Facebook group to ask a question!
facebook_tech-wizards