Is port 53 required for both incoming and outgoing
Mark_Andrews at isc.org
Mark_Andrews at isc.org
Fri Nov 7 22:14:02 UTC 2003
> > -----Original Message-----
> > From: Eric Smith [mailto:es at fruitcom.com]
> > Sent: Friday, November 07, 2003 7:38 AM
> > To: comp-protocols-dns-bind at isc.org
> > Subject: Is port 53 required for both incoming and outgoing
> >
> >
> > Hi
> >
> > We have a primary NS on a network which has port 53 open for
> > outgoing traffic only tcp and udp - not incoming traffic.
> >
> > Is it still possible to run bind on this machine which is the
> > primary NS for a domain?
>
> Yes, as long at the origin of the queries to this DNS server is not from the
> other side of the firewall.
>
> If there will be queries from the outside, then you need to allow al least
> UDP 53 incoming as well. If there will be zone transfers from outside, you
> will need TCP 53 also.
Michael please don't give advice like this again. The
general answer to which transport protocols that should be
open for DNS is *both* TCP and UDP. You answer made lots
of assumptions which just don't hold in the general case.
You have to allow both UDP and TCP incoming. Ordinary
queries can come in via TCP as well as UDP. Access control
for zone transfers should be done in the server.
As for outgoing the best general solution is to use a
stateful firewall. This will allow queries from any DNS
client to receive answers (helps with trouble shooting).
e.g.
allow out [TCP|UDP] from any port any to any port 53 keepstate.
If you don't have a stateful firewall you will need to force
the UDP queries from named to come from a known port (usually
53 is used as it needs to be open for queries). TCP queries
will come from a source port allocated by the kernel. You
will need to check for established state on the reply
traffic. See query-source, notify-source and transfer-source.
Mark
> Michael Breton
> Commtel
>
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
More information about the bind-users
mailing list