Created
July 29, 2025 21:04
-
-
Save symm/1cbb72c21fccf5529923a91e5b2d7436 to your computer and use it in GitHub Desktop.
Proxmox Security Group for hardened DNS
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [IPSET trusted_dns] | |
| 9.9.9.11 | |
| 149.112.112.11 | |
| [group harden_dns_in] | |
| IN REJECT -p tcp -dport 139 -log nolog # NetBIOS Session | |
| IN REJECT -p udp -dport 137,138 -log nolog # NetBIOS Name & Datagram | |
| IN REJECT -p udp -dport 5355 -log nolog # LLMNR unicast | |
| IN REJECT -p udp -dport 5353 -log nolog # mDNS unicast | |
| IN REJECT -p udp -dport 1900 -log nolog # SSDP unicast | |
| IN REJECT -p tcp -dport 853 -log nolog # DNS over TLS | |
| [group harden_dns_out] | |
| OUT ACCEPT -dest +dc/trusted_dns -p udp -dport 53 -log nolog # Trusted DNS | |
| OUT ACCEPT -dest +dc/trusted_dns -p tcp -dport 53 -log nolog # Trusted DNS TCP | |
| OUT REJECT -p tcp -dport 139 -log nolog # NetBIOS Session | |
| OUT REJECT -p udp -dport 137,138 -log nolog # NetBIOS Name & Datagram | |
| OUT REJECT -p udp -dport 5355 -log nolog # LLMNR unicast | |
| OUT REJECT -p udp -dport 5353 -log nolog # mDNS unicast | |
| OUT REJECT -p udp -dport 1900 -log nolog # SSDP unicast | |
| OUT REJECT -p tcp -dport 853 -log nolog # DNS over TLS | |
| OUT REJECT -p udp -dport 53 -log nolog # Block DNS |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment