From b5f8bc672bf82a68bacb08f4d0ca431630681988 Mon Sep 17 00:00:00 2001
From: Christoph <ckubu@oopen.de>
Date: Fri, 2 Jun 2017 11:34:43 +0200
Subject: [PATCH] Add some comments for DNS rules.

---
 .gitignore           |  1 +
 ip6t-firewall-server | 15 +++++++++++++--
 ipt-firewall-server  | 17 ++++++++++++++---
 3 files changed, 28 insertions(+), 5 deletions(-)

diff --git a/.gitignore b/.gitignore
index 689be27..df4a5c6 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
+.*.swp
 ip6t-firewall-server.conf
 ipt-firewall-server.conf
 BAK/*
diff --git a/ip6t-firewall-server b/ip6t-firewall-server
index f3246ee..71ef454 100755
--- a/ip6t-firewall-server
+++ b/ip6t-firewall-server
@@ -608,18 +608,29 @@ if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_dns_server_ip_arr[@]} -
    if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] ; then
       for _ip in ${dns_server_ips[@]} ; do
          # dns requests
+         #
+         # Note:
+         #    If the total size of the DNS record is larger than 512 bytes, 
+         #    it will be sent over TCP, not UDP.
+         #
          $ip6t -A INPUT -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
-         # Zonetransfer
          $ip6t -A INPUT -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
+         # Zonetransfer
          $ip6t -A OUTPUT -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT
       done
    fi
       
    if [[ ${#forward_dns_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
       for _ip in ${forward_dns_server_ip_arr[@]} ; do
+         # dns requests
+         #
+         # Note:
+         #    If the total size of the DNS record is larger than 512 bytes, 
+         #    it will be sent over TCP, not UDP.
+         #
          $ip6t -A FORWARD -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
-         # Zonetransfer
          $ip6t -A FORWARD -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
+         # Zonetransfer
          $ip6t -A FORWARD -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT
       done
    fi
diff --git a/ipt-firewall-server b/ipt-firewall-server
index 89a90d1..d98f792 100755
--- a/ipt-firewall-server
+++ b/ipt-firewall-server
@@ -797,19 +797,30 @@ echononl "\t\tDNS Service"
 if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_dns_server_ip_arr[@]} -gt 0 ]] ; then
    if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] ; then
       for _ip in ${dns_server_ips[@]} ; do
-         # dns requests
+         # dns requests 
+         #
+         # Note:
+         #    If the total size of the DNS record is larger than 512 bytes, 
+         #    it will be sent over TCP, not UDP.
+         #
          $ipt -A INPUT -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
-         # Zonetransfer
          $ipt -A INPUT -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
+         # Zonetransfer
          $ipt -A OUTPUT -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT
       done
    fi
       
    if [[ ${#forward_dns_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
       for _ip in ${forward_dns_server_ip_arr[@]} ; do
+         # dns requests 
+         #
+         # Note:
+         #    If the total size of the DNS record is larger than 512 bytes, 
+         #    it will be sent over TCP, not UDP.
+         #
          $ipt -A FORWARD -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
-         # Zonetransfer
          $ipt -A FORWARD -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
+         # Zonetransfer
          $ipt -A FORWARD -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT
       done
    fi