Difference between revisions of "DNS firewall considerations"

From Notes_Wiki
m
m
 
Line 1: Line 1:
<yambe:breadcrumb self="Firewall considerations">Bind DNS server configuration | Bind DNS</yambe:breadcrumb>
[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[Bind DNS server configuration]] > [[DNS firewall considerations]]
=DNS firewall considerations=


==DNS server firewall configuration==
=DNS server firewall configuration=


On DNS server we need to allow incoming DNS queries on destination port 53. Hence we can use below configuration
On DNS server we need to allow incoming DNS queries on destination port 53. Hence we can use below configuration
Line 11: Line 10:




==DNS client firewall configuration==
 
=DNS client firewall configuration=


Note that DNS clients choose random UDP port to send DNS queries to port 53 of DNS server. Then DNS server replies to client on same port from source UDP port 53. Hence in order to allow DNS client to receive DNS replies without them getting filtered by firewall, we can use:
Note that DNS clients choose random UDP port to send DNS queries to port 53 of DNS server. Then DNS server replies to client on same port from source UDP port 53. Hence in order to allow DNS client to receive DNS replies without them getting filtered by firewall, we can use:
Line 22: Line 22:
*The filtering is based on source port and not destination port
*The filtering is based on source port and not destination port
*For a process to be able to listen on port 53, super user privileges are required. Hence by ensuring that DNS requests go to port 53 we reduce the possibility of normal user running his/her own DNS server. Also since queries are sent from ports > 1024, a normal user process can query DNS server without any set-uid/set-gid etc. mechanisms.
*For a process to be able to listen on port 53, super user privileges are required. Hence by ensuring that DNS requests go to port 53 we reduce the possibility of normal user running his/her own DNS server. Also since queries are sent from ports > 1024, a normal user process can query DNS server without any set-uid/set-gid etc. mechanisms.
[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[Bind DNS server configuration]] > [[DNS firewall considerations]]

Latest revision as of 08:25, 10 March 2022

Home > CentOS > CentOS 6.x > Bind DNS server configuration > DNS firewall considerations

DNS server firewall configuration

On DNS server we need to allow incoming DNS queries on destination port 53. Hence we can use below configuration

-A INPUT -p udp -m udp --dport 53 -j ACCEPT
in both '/etc/sysconfig/iptables' and '/etc/sysconfig/ip6tables' files so that DNS server can receive queries on both IPv4 and IPv6 addresses without getting blocked by firewall.


DNS client firewall configuration

Note that DNS clients choose random UDP port to send DNS queries to port 53 of DNS server. Then DNS server replies to client on same port from source UDP port 53. Hence in order to allow DNS client to receive DNS replies without them getting filtered by firewall, we can use:

-A INPUT -p udp -m udp --sport 53 -j ACCEPT

in both '/etc/sysconfig/iptables' and '/etc/sysconfig/ip6tables' files.

Note:

  • The filtering is based on source port and not destination port
  • For a process to be able to listen on port 53, super user privileges are required. Hence by ensuring that DNS requests go to port 53 we reduce the possibility of normal user running his/her own DNS server. Also since queries are sent from ports > 1024, a normal user process can query DNS server without any set-uid/set-gid etc. mechanisms.



Home > CentOS > CentOS 6.x > Bind DNS server configuration > DNS firewall considerations