CSF country block but allow DNS

seenBEST

• December 07, 2020 21:15

I've searched everywhere but couldn't find a solution, hopefully someone here knows a way. When using ConfigServer Firewall and configuring via WHM to use CC_DENY to block various countries, is there a way to whitelist a port or service such as DNS or exclude it from the country block? I've tested and it seems that CC_DENY also blocks a DNS lookup to the server, but in some cases Google, etc. has DNS lookups that originate in one particular country to service other, non-related countries. It would be nice to allow all port 53 traffic through all the time regardless if the country is blocked or not. Any thoughts on how to accomplish this?

• 

  cPRex Jurassic Moderator

  • December 08, 2020 13:23

  Hey there! I've provided a direct link to the second post on this page which explains how you can block certain ports by country. You may just want to block 80 and 443 traffic by country, keeping UDP 53 open for DNS traffic:

  0
• 

  seenBEST

  • December 08, 2020 15:21

  Thank you, it seems from the information provided that I can simply move my existing CC_DENY list down into CC_DENY_PORTS instead, and then specify ports other than 53 and those countries will still be able to hit DNS but not the ports I specify. I'll give that a try and let you know.

  0
• 

  cPRex Jurassic Moderator

  • December 08, 2020 15:26

  That sounds good! It's important to note that we don't make or provide support for CSF, but it's common enough software that we're usually able to point people in the right direction :D

  0
• 

  seenBEST

  • December 09, 2020 00:32

  It works good and was a quick fix, thank you!

  0
• 

  cPRex Jurassic Moderator

  • December 09, 2020 12:45

  Great - I'm glad that got things well for you!

  0

Please sign in to leave a comment.