I'm sure you've used a Hetzner DE server before. Their pricing is great, the servers work well, and their cloud prices are incredible!
But if you get a bare-metal server, like one of the AMD AX-line servers (https://www.hetzner.com/dedicated-rootserver/matrix-ax) you might want to double down on firewall security where you use their firewall ahead of your internal one. By default, their firewall allows all connections. But that's not very secure, especially if you don't want to open any ports to the public.
But here's the catch, their firewall rules are for incoming connections. So you have to understand TCP flows and what happens when you make outgoing requests. If you disable all incoming traffic, your outgoing traffic also fails. That's because their firewall will block acknowledgements and other TCP flags required when establishing a connection with another server.
So what do you do? You check their docs and allow the
ack flag for the
32769-65535 port range on the
tcp protocol. Sounds good and it looks like you can now access IP addresses, but when you try to access a domain name (like entrostat.com) it doesn't resolve. This isn't always the case, but it happens when you want to use external DNS providers like CloudFlare
126.96.36.199 or Google
188.8.131.52. When you do this, the above rule doesn't apply because it's
tcp and your outgoing DNS requests are
udp so you need to add a few more rules!
The important thing to understand with DNS is that generally the port is
53 and the protocol is
udp. So if you want to allow your server to ask the CloudFlare or Google DNS servers to resolve a domain name for you, you should "allow" their IPs access when the source port is
In essence, your rules would look something like this:
|Name||Source IP||Destination IP||Source Port||Destination Port||Protocol||TCP flags||Action|
|Allow Outgoing TCP||32769-65535||tcp||ack||accept|
|Google Main DNS||184.108.40.206||53||udp||accept|
|Google Secondary DNS||220.127.116.11||53||udp||accept|
httpbecause those ports are not open. So you'll have to configure it to fit your needs.
I would recommend checking out CloudFlare and the tunnel product that they offer. In that case, you could just use these rules and the tunnel could provide
sshaccess to you using their Zero Trust platform.
Now that the CloudFlare and Google DNS servers have been added, you should find that you can resolve your domain names :)!
And here's the final note, and it's SUPER IMPORTANT! Please make sure you understand how to set up firewalls and that you still use internal firewalls to control access to your server. This is just a high-level guide on how to allow external DNS, but you should still use
pfsense or something similar to lock your server down internally. My advice is to speak to a network and security specialist in everything that you do to ensure that you're following best practices. I have worked in the DevOps space for a long time, but I am by no means a network specialist and I cannot guarantee that the above rules are 100% secure.
Anyways, for those of you that have a Hetzner DE server and want to use CloudFlare DNS, I hope this helps :)!