On Tue, Jan 4, 2022 at 1:07 AM Snow Summer <summersnow9403(a)gmail.com> wrote:
Hi Eric,
Thank you so much! The commands work after rebooting. However, I still cannot figure out
why simply using:
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source
address="4.2.2.1" reject'
would not block all incoming DNS responses from 4.2.2.1. I think that by either filtering
the incoming packets by IP of source, or outgoing packets by the IP of destination (using
the outbound filtering you have mentioned), my computer cannot query 4.2.2.1 for DNS
responses. Is that right?
DNS response is a related packet to DNS request. Related packets are
allowed and this rule is one of the first, so response is accepted
before your reject rule can be evaluated.