Ports on secondary DNS

Bob Lockie bjlockie at lockie.ca
Thu Nov 28 00:18:58 UTC 2002


Michael AIG wrote:

>Hi,
>
>I want to set up secondary DNS in different network.
>The problem is by default they close all the ports (incoming and outcoming). 
>May I know which ports should I ask to be opened to allow public to access 
>the DNS server? I mean the source and destination ports for both client and 
>server. And how about the ports for the zone transfer from primary to 
>secondary?
>
Did you try a search on the web?
I found this in my search:
"Old versions of BIND made DNS resolution queries by attaching to port 
53 of the remote nameserver and receiving replies back on port 53 as 
well. The new software connects to port 53, but the back-channel for 
data is designated as a random channel at port 1023 /*or higher*/. This 
presents a problem for sites that are filtering UDP traffic on port 1023 
or higher.".

"You do not need to open up ports 1023 and higher for all machines on 
your network; only the nameservers. Most, if not all, firewall products 
will allow the selection of specific ports to be opened for specific 
machines.".

I don't know which ports are used for zone tranfers but I assume it is 
the same.

-- 
----------------------------------------
Sent from Mozilla and GNU/Linux




More information about the bind-users mailing list