Questions on securing acme-dns

Thanks to all the wonderful info here and on joohoi’s github I think i have a basic understanding of setting up a self-hosted acme-dns server at home. But I have a few questions on the best practices for securing the installation. I think I will use certbot—acme-dns-certbot-joohoi—acme-dns docker instance.

I assume I will port forward 53 from my firewall to the internal VM hosting the acme-dns server. I am loathe to leave the server up with an open port 53 to the Internet. So I will get certbot to bring up the acme-dns instance as required. This seems easier than opening and closing the port on the actual firewall which is on another machine and not particularly friendly to scripted (re-)configuration

  • does this seem reasonable, is there a better way say ufw on server (VM) to close the port or something
  • can acme-dns be persuaded to log for DNS, who is talking to it; I can see the logs about what, but not who was asking.
  • does LE work equally well on 53/udp only; if I turn off the acme-dns server and it is UDP only, it will be more of a ‘black hole’
1 Like

Sorry for the typos, auto-corrupt is not your friend :wink:

1 Like

If there is nothing listening (most of the time) on that port, then it really makes no difference if the UFW is closed or open.
UDP/53 might work for most situations; it basically depends on the size of the DNS request - which will have to be TCP once it gets too large (Like for DNSSEC). But if you are only doing one domain at a time, it may work.
But overall there is not much of a greater security implication from TCP over UDP for DNS (recent MS SIGRed excluded).

2 Likes

why would you do that?

moreover: why would your ISP allow you to do that? :smiley:

1 Like

my ISP does not block port 53.

1 Like

lucky you :smiley:

and some more chars

4 Likes

Just add a 2nd :smiley:. That is = 8 characters. :wink:

3 Likes

Or just use  

3 Likes

or <putintextthatnoonecansee>

except you

To help secure acme-dns, I use iptables and have a custom acme-dns chain (see https://github.com/joohoi/acme-dns/issues/67). I use a certbot hook to open the ports into the chain on startup, and on shutdown I flush the chain; the same hook script starts/stops the acme-dns service too. The result is that acme-dns is only running and the port 53 resolver and the 8011 website are only accessible when i explicitly need it.

if you’re not familiar with iptables, it’s lowerlevel than ufw.

1 Like

Noted re iptables. I seem to have a mental block when it comes to iptables “my brain just hurts and i always get it wrong”; on the whole, ufw seems a bit simpler to me :thinking:

But thanks for the hint. I am setting up specific logging on the firewall to see how much incoming traffic i am currently blocking on port 53 so I, have an idea of the magnitude of the problem and also to see if there is a increase after I publish the acme-dns server’s IP on my main DNS.

1 Like

ufw is definitely simpler. it’s actually a frontend to iptables and just manages that under-the-hood.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.