Difference between revisions of "DNS firewall considerations"
From Notes_Wiki
(Created page with "=DNS firewall considerations= ==DNS server firewall configuration== On DNS server we need to allow incoming DNS queries on destination port 53. Hence we can use below config...") |
m |
||
Line 1: | Line 1: | ||
<yambe:breadcrumb self="Firewall considerations">Bind DNS server configuration | Bind DNS</yambe:breadcrumb> | |||
=DNS firewall considerations= | =DNS firewall considerations= | ||
Revision as of 09:27, 2 December 2012
<yambe:breadcrumb self="Firewall considerations">Bind DNS server configuration | Bind DNS</yambe:breadcrumb>
DNS firewall considerations
DNS server firewall configuration
On DNS server we need to allow incoming DNS queries on destination port 53. Hence we can use below configuration
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
in both '/etc/sysconfig/iptables' and '/etc/sysconfig/ip6tables' files so that DNS server can receive queries on both IPv4 and IPv6 addresses without getting blocked by firewall.
DNS client firewall configuration
Note that DNS clients choose random UDP port to send DNS queries to port 53 of DNS server. Then DNS server replies to client on same port from source UDP port 53. Hence in order to allow DNS client to receive DNS replies without them getting filtered by firewall, we can use:
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
in both '/etc/sysconfig/iptables' and '/etc/sysconfig/ip6tables' files.
Note:
- The filtering is based on source port and not destination port
- For a process to be able to listen on port 53, super user privileges are required. Hence by ensuring that DNS requests go to port 53 we reduce the possibility of normal user running his/her own DNS server. Also since queries are sent from ports > 1024, a normal user process can query DNS server without any set-uid/set-gid etc. mechanisms.