[CentOS] iptables -d fqdn instead of IP

Ryan Lynch ryan.b.lynch at gmail.com
Thu Oct 29 15:58:03 UTC 2009


KB is correct--IPTables performs a DNS lookup when it processes the
rule. It doesn't slow down to run a DNS lookup for every packet it
sees.

There are some practical risks to using hostnames, if you're not
expecting them, though. If you lose DNS services during startup, your
boot will hang for a while trying to resolve those names. Plus, even
after it does finish booting, you will be missing the firewall rules
that contained the unresolvable names, which may compromise your
security to a greater or lesser extent..

Personally, I would avoid using hostnames in iptables startup scripts
for these reasons, unless I had some automated notification and
fail-safe action for this case, or if I had all the relevant hostnames
listed in /etc/hosts or a really persistent local cache, like nscd w/
the 'reload-count infinite' option.


On 2009-10-29, Karanbir Singh <mail-lists at karan.org> wrote:
> On 10/29/2009 10:29 AM, Vinicius Coque wrote:
>>> does it work to define iptables rules with a fqdn as destination
>>> instead of an IP address? Or is it useful to resolve the name first
>>> using e.g. nslookup, writing the result to a variable which is then
>>> used within the -d statement?
>
> I guess that depends on what you are trying to achieve, afaik iptables
> will not hit DNS for each packet, and will only resolve at time of table
> / policy creation.
>
> - KB
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>


-- 
Ryan B. Lynch
ryan.b.lynch at gmail.com


More information about the CentOS mailing list