allowing dig through ipchains

[George Kallingal]

This might be a trivial question, but I wanted to know if the dig utility
uses TCP/UDP port 53 when performing queries.  I am running bind 8.2.3 on RH
6.2 with ipchains as a firewall.

My configuration is as follows...

# DNS server (53)
    # ---------------

    # DNS: full server
    # ----------------

    # server/client to server query or response

    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp  \
             --source-port $UNPRIVPORTS \
             -d $IPADDR 53 -j ACCEPT 

    ipchains -A output -i $EXTERNAL_INTERFACE -p udp  \
             -s $IPADDR 53 \
             --destination-port $UNPRIVPORTS -j ACCEPT 

    ipchains -A output -i $EXTERNAL_INTERFACE -p udp  \
             -s $IPADDR 53 \
             --destination-port 53 -j ACCEPT 

    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp  \
             --source-port 53 \
             -d $IPADDR 53 -j ACCEPT 


    # DNS client (53)
    # ---------------
    ipchains -A output -i $EXTERNAL_INTERFACE -p udp  \
             -s $IPADDR $UNPRIVPORTS \
             -d $NAMESERVER_1 53 -j ACCEPT 

    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp  \
             -s $NAMESERVER_1 53 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT 


    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp  \
             -s $IPADDR $UNPRIVPORTS \
             -d $NAMESERVER_1 53 -j ACCEPT 

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $NAMESERVER_1 53 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT 

    ipchains -A output -i $EXTERNAL_INTERFACE -p udp  \
             -s $IPADDR $UNPRIVPORTS \
             -d $NAMESERVER_2 53 -j ACCEPT 

    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp  \
             -s $NAMESERVER_2 53 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT 


    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp  \
             -s $IPADDR $UNPRIVPORTS \
             -d $NAMESERVER_2 53 -j ACCEPT 

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $NAMESERVER_2 53 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT 


When I perform a dig of a remote DNS server, I received a connection
refused.
 dig @216.115.239.42 drbenefits.com

; <<>> DiG 8.3 <<>> @216.115.239.42 drbenefits.com
; (1 server found)
;; res options: init recurs defnam dnsrch
;; res_nsend to server 216.115.239.42: Connection refused

Any assistance would be greatly appreciated.