Tutorial News Comments FAQ Related Articles

How to allow Domains by reverse DNS lookup in CSF on Debian 12

To Allow Domains By Reverse DNS Lookup In CSF On Debian 12

Introduction:

Enabling domains through reverse DNS lookup, frequently set up using tools such as CSF (ConfigServer Security & Firewall), entails confirming the validity of incoming connections based on the reverse DNS records linked to their IP addresses. This process enhances security by verifying that incoming connections come from hosts with accurate reverse DNS entries that match their IP addresses. By permitting connections only from domains that successfully pass this authentication process, administrators can reduce the potential dangers posed by spoofed or malicious IP addresses, ultimately improving the security of their systems.

Procedure:

Step 1: Check the OS version by using the below command.

root@linuxhelp:~# cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL=https://bugs.debian.org/

Step 2: Open the dyndns configuration file and make the domain entry by using the below command.

root@linuxhelp:~# vim /etc/csf/csf.dyndns
###############################################################################
# Copyright 2006-2018, Way to the Web Limited
# URL: http://www.configserver.com
# Email: sales@waytotheweb.com
###############################################################################
# The following FQDN's will be allowed through the firewall. This is controlled
# by lfd which checks the DNS resolution of the FQDN and adds the ip address
# into the ALLOWDYNIN and ALLOWDYNOUT iptables chains. lfd will check for IP
# updates every DYNDNS seconds if set.
#
# If the FQDN has multiple A records then all of the IP addresses will be
# processed. If IPV6 is enabled and the perl module Socket6 from cpan.org is
# installed, then all IPv6 AAAA IP address records will also be allowed.
#
# Only list fully qualified domain names (FQDN's) in this file, either on their
# own to allow full access, or using Advanced Allow/Deny Filters (see
# readme.txt)
#
google.com

Step 3: Open the csf configuration file and make dyndns and reverse dns lookup enable by using the below command.

root@linuxhelp:~# vim /etc/csf/csf.conf
# Perform reverse DNS lookups on IP addresses. (See also CC_LOOKUPS)
LF_LOOKUPS = "1"
# A setting of 600 would check for IP updates every 10 minutes. Set the value
DYNDNS = "0"

Step 4: Reload and Apply the changes by using the below command.

root@linuxhelp:~# csf -ra
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
Flushing chain `DENYIN'
Flushing chain `DENYOUT'
Flushing chain `INVALID'
Flushing chain `INVDROP'
Flushing chain `LOCALINPUT'
Flushing chain `LOCALOUTPUT'
Flushing chain `LOGDROPIN'
Flushing chain `LOGDROPOUT'
LOCALOUTPUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0
LOCALINPUT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
● lfd.service - ConfigServer Firewall & Security - lfd
     Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)
     Active: active (running) since Tue 2024-06-25 18:58:18 IST; 12ms ago
    Process: 26978 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)
   Main PID: 26987 (lfd - starting)
      Tasks: 1 (limit: 3408)
     Memory: 25.5M
        CPU: 212ms
     CGroup: /system.slice/lfd.service
             └─26987 "lfd - starting"

Jun 25 18:58:18 linuxhelp systemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...
Jun 25 18:58:18 linuxhelp systemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.
*WARNING* Binary location for [SENDMAIL] [/usr/sbin/sendmail] in /etc/csf/csf.conf is either incorrect, is not installed or is not executable
*WARNING* Missing or incorrect binary locations will break csf and lfd functionality

*WARNING* RESTRICT_SYSLOG is disabled. See SECURITY WARNING in /etc/csf/csf.conf.

Conclusion:

We have reached the end of this article. In this guide, we have walked you through the steps required to to allow Domains by reverse DNS lookup in CSF on Debian 12. Your feedback is much welcome.

Tags:

Author:

Comments ( 0 )

No comments available

Add a comment

Frequently asked questions ( 5 )

What is reverse DNS lookup, and why is it important in CSF?

Reverse DNS lookup is the process of resolving an IP address back into a domain name. In CSF, allowing domains based on reverse DNS lookup helps verify the authenticity of incoming connections. It ensures that connections originate from hosts with valid reverse DNS entries, reducing the risk of spoofed or malicious IP addresses.

How do I enable reverse DNS lookup in CSF?

To enable reverse DNS lookup in CSF, you typically configure the LF_RDNS setting in the CSF configuration file (/etc/csf/csf.conf). Set LF_RDNS to 1 to enable reverse DNS checks. You can also specify additional settings such as RDNS_CHILDREN to control the number of child processes handling reverse DNS lookups.

What happens if an incoming connection fails the reverse DNS lookup check?

If an incoming connection fails the reverse DNS lookup check in CSF, it can be handled according to the firewall rules configured. By default, CSF can log such events (LF_IPSET or LF_TRIGGER) and optionally block the connection (LF_BLOCK). Administrators can customize these actions based on their security policies.

Can reverse DNS lookup affect server performance?

Yes, reverse DNS lookup can potentially affect server performance, especially if not optimized. CSF provides options (RDNS_CHILDREN setting) to control how many child processes handle reverse DNS lookups concurrently, which can mitigate performance impact by distributing the workload.

Are there instances where reverse DNS lookup may not function as intended?

Yes, reverse DNS lookup might not work reliably in certain situations:
Misconfigured DNS: If the DNS records are incorrect or outdated, reverse DNS lookup may fail.
IP address pools: Some ISPs or networks may use generic or shared reverse DNS entries, which might not match individual hostnames.
Firewall limitations: If outbound DNS requests are blocked by a firewall, reverse DNS lookup cannot retrieve the domain name.

Rank

User

Points

Top Contributers

naveelansari

135850

Top Contributers

ayanbhatti

92510

Top Contributers

hamzaahmed

32150

Top Contributers

linuxhelp

31040

Top Contributers

muhammadali

24500

Can you help Ryan ?

how to use visual traceroute tool

Am using traceroute command to check for the route. i got this tool while surfing. So pls help me out installation and usage of Visual traceroute tool.