DNS firewall considerations
From Notes_Wiki
DNS firewall considerations
DNS server firewall configuration
On DNS server we need to allow incoming DNS queries on destination port 53. Hence we can use below configuration
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
in both '/etc/sysconfig/iptables' and '/etc/sysconfig/ip6tables' files so that DNS server can receive queries on both IPv4 and IPv6 addresses without getting blocked by firewall.
DNS client firewall configuration
Note that DNS clients choose random UDP port to send DNS queries to port 53 of DNS server. Then DNS server replies to client on same port from source UDP port 53. Hence in order to allow DNS client to receive DNS replies without them getting filtered by firewall, we can use:
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
in both '/etc/sysconfig/iptables' and '/etc/sysconfig/ip6tables' files.
Note:
- The filtering is based on source port and not destination port
- For a process to be able to listen on port 53, super user privileges are required. Hence by ensuring that DNS requests go to port 53 we reduce the possibility of normal user running his/her own DNS server. Also since queries are sent from ports > 1024, a normal user process can query DNS server without any set-uid/set-gid etc. mechanisms.