Is port 53 required for both incoming and outgoing

Mark_Andrews at isc.org Mark_Andrews at isc.org
Fri Nov 7 22:14:02 UTC 2003 

> > -----Original Message-----
> > From: Eric Smith [mailto:es at fruitcom.com]
> > Sent: Friday, November 07, 2003 7:38 AM
> > To: comp-protocols-dns-bind at isc.org
> > Subject: Is port 53 required for both incoming and outgoing
> > 
> > 
> > Hi
> > 
> > We have a primary NS on a network which has port 53 open for
> > outgoing traffic only tcp and udp - not incoming traffic.
> > 
> > Is it still possible to run bind on this machine which is the
> > primary NS for a domain?
> 
> Yes, as long at the origin of the queries to this DNS server is not from the
> other side of the firewall.
> 
> If there will be queries from the outside, then you need to allow al least
> UDP 53 incoming as well.  If there will be zone transfers from outside, you
> will need TCP 53 also.

	Michael please don't give advice like this again.  The
	general answer to which transport protocols that should be
	open for DNS is *both* TCP and UDP.  You answer made lots
	of assumptions which just don't hold in the general case.

	You have to allow both UDP and TCP incoming.  Ordinary
	queries can come in via TCP as well as UDP.  Access control
	for zone transfers should be done in the server.

	As for outgoing the best general solution is to use a
	stateful firewall.  This will allow queries from any DNS
	client to receive answers (helps with trouble shooting).

	e.g.
	allow out [TCP|UDP] from any port any to any port 53 keepstate.

	If you don't have a stateful firewall you will need to force
	the UDP queries from named to come from a known port (usually
	53 is used as it needs to be open for queries).  TCP queries
	will come from a source port allocated by the kernel.  You
	will need to check for established state on the reply
	traffic.  See query-source, notify-source and transfer-source.

	Mark

> Michael Breton
> Commtel
> 
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org

More information about the bind-users mailing list