These are chat archives for CZ-NIC/knot-resolver

2nd
Jan 2019
Petr Špaček
@pspacek
Jan 02 09:01
Hi @ookangzheng . It does not really make sense to set limits based on source port because the source port should be random. It should work if you just drop @53 from the view config above.
edoo
@ookangzheng
Jan 02 10:13
because I builded a server for my lab, DNS server with TLS and PORT 53 is open for public.
I want makesure our lab members can use PORT 53 (from home, I have their IP to do whitelist), stranger will drop their PORT 53 and only allow DoT
So far the only way to solve this problem, I using iptables to drop all port 53 udp/tcp request, only allow whitelisted IP to use port 53
Petr Špaček
@pspacek
Jan 02 11:02
@ookangzheng So you want to allow clients from certain IP addresses and drop requests from all other IP addresses, is that right?
edoo
@ookangzheng
Jan 02 11:10
yap, also with port number
Example,
IP 1.2.3.4 can use port 53, and TLS
IP 2.3.4.5 cannot use port 53, but can use TLS