DNS Port Usage (was Re: Weird results - firewall bind8)

[Kevin Darcy]

Okay, I'm sure this is documented in an FAQ somewhere, but let's just
clarify DNS port usage, once more for the record.

If you're *serving* DNS through a firewall or router filter, then:

1) All inbound UDP/TCP packets from port 53 or unprivileged ports to port
53 need to be permitted (incoming queries).

2) All outbound UDP/TCP packets from port 53 to port 53 or unprivileged
ports need to be permitted (outgoing responses).

3) If the firewall is stateful enough, it should only allow outbound
packets to destinations+ports which recently sent inbound packets.

In #1 or #2, where it says "port 53 or unprivileged ports", one could be
lazier and just specify "any port". I can't imagine that there is much
security exposure in allowing DNS queries from, say, the FTP port. The
Truly Paranoid may disagree.

If you're *resolving* DNS through a firewall, then:

1) All outbound UDP/TCP packets from unprivileged ports (assuming only
stub resolvers and/or BIND 8/9 with a default configuration) to port 53
need to be permitted (outgoing queries).

2) All inbound UDP/TCP packets from port 53 to unprivileged ports need to
be permitted (incoming responses).

3) Again, if your firewall is stateful enough, you should only allow
"responses" to recently-asked queries, and none others.

Note that NOTIFYs look like queries from master to slave, and zone
transfers look like queries from the slave to the master, so if there is
a firewall between your master and your slave(s), adjust your rules
accordingly. Zone transfers themselves are always TCP, so if you're
particularly paranoid you might be tempted to lock down master/slave
communication to TCP exclusively. However, the SOA serial-number queries
which slaves send to the master to synchronize replication look like
ordinary queries, and typically use UDP, so if you're overly restrictive,
you might break master/slave replication.

Note also that much of this is configurable through the query-source and
transfer-source options. In BIND 9, there's even a notify-source option.

Corrections welcomed.


- Kevin

Jim Reid wrote:

> >>>>> "Tonino" == TAG  <tag at xsinet.co.za> writes:
>
>     Tonino> I am getting a weird "error" from my firewall ...
>
>     Tonino> OK - I am using GNATbox as a firewall and the logs look
>     Tonino> like this :
>
>     Tonino> IP PACKET: UDP [tertiary DNS/53]-->[secondary DNS/21167]
>     Tonino> [tertiary DNS/53]-->[secondary DNS/21167]
>
>     Tonino> Why are they not doing reqyuets on port 53??
>
> These are not requests. They are answers from your name server. You
> have no control over the source address or port numbers that the rest
> of the world will use to query your name servers. Your firewall has to
> let everything in that's going to port 53 of your servers and let
> anything out that's coming from port 53 of those servers.
>
> When your name servers make a DNS query, they will use a random,
> unprivileged port by default. So you have to let anything out that's
> going from your servers to port 53 outside. The replies will come from
> port 53 to some random port on your servers so you have to allow those
> packets in too. This is really just the same traffic pattern as above
> except that the client and server are the other way round: you're
> querying them instead of them querying you.
>
> You probably should just let all UDP/TCP traffic through provided the
> source or destination port is 53 so the DNS will work. If you're
> paranoid, you could restrict that to the IP addresses of your servers
> so only they can make/get queries and get/send replies from the
> outside.