Hetzner DE Firewall and External DNS

I'm sure you've used a Hetzner DE server before. Their pricing is great, the servers work well, and their cloud prices are incredible!

But if you get a bare-metal server, like one of the AMD AX-line servers (https://www.hetzner.com/dedicated-rootserver/matrix-ax) you might want to double down on firewall security where you use their firewall ahead of your internal one. By default, their firewall allows all connections. But that's not very secure, especially if you don't want to open any ports to the public.

But here's the catch, their firewall rules are for incoming connections. So you have to understand TCP flows and what happens when you make outgoing requests. If you disable all incoming traffic, your outgoing traffic also fails. That's because their firewall will block acknowledgements and other TCP flags required when establishing a connection with another server.

So what do you do? You check their docs and allow the ack flag for the 32769-65535 port range on the tcp protocol. Sounds good and it looks like you can now access IP addresses, but when you try to access a domain name (like entrostat.com) it doesn't resolve. This isn't always the case, but it happens when you want to use external DNS providers like CloudFlare 1.1.1.1 or Google 8.8.8.8. When you do this, the above rule doesn't apply because it's tcp and your outgoing DNS requests are udp so you need to add a few more rules!

The important thing to understand with DNS is that generally the port is 53 and the protocol is udp. So if you want to allow your server to ask the CloudFlare or Google DNS servers to resolve a domain name for you, you should "allow" their IPs access when the source port is 53.

In essence, your rules would look something like this:

Name Source IP Destination IP Source Port Destination Port Protocol TCP flags Action
Allow Outgoing TCP 32769-65535 tcp ack accept
CloudFlare DNS 1.1.1.1 53 udp accept
Google Main DNS 8.8.8.8 53 udp accept
Google Secondary DNS 8.8.4.4 53 udp accept
⚠️
Please note, these are not the only rules you should have. If you just have these rules, you won't be able to access the server via ssh or http because those ports are not open. So you'll have to configure it to fit your needs.

I would recommend checking out CloudFlare and the tunnel product that they offer. In that case, you could just use these rules and the tunnel could provide http and ssh access to you using their Zero Trust platform.

Now that the CloudFlare and Google DNS servers have been added, you should find that you can resolve your domain names :)!

And here's the final note, and it's SUPER IMPORTANT! Please make sure you understand how to set up firewalls and that you still use internal firewalls to control access to your server. This is just a high-level guide on how to allow external DNS, but you should still use iptables, ufw, firewalld, pfsense or something similar to lock your server down internally. My advice is to speak to a network and security specialist in everything that you do to ensure that you're following best practices. I have worked in the DevOps space for a long time, but I am by no means a network specialist and I cannot guarantee that the above rules are 100% secure.

Anyways, for those of you that have a Hetzner DE server and want to use CloudFlare DNS, I hope this helps :)!