6
cat /etc/bind/named.conf.options

    // If there is a firewall between you and nameservers you want
    // to talk to, you may need to fix the firewall to allow multiple
    // ports to talk.

I didn't find any information about what are the exact firewall rules to apply with a firewall between nameservers and I.

Pol Hallen
  • 1,095
  • 2
  • 13
  • 24
  • It all revolves about allowing incoming port 53 (tcp+udp) to your server for its clients, and allowing connecting to port 53 (tcp+udp) to "outside" for your server to reach "upstream". The meaning and scope of "clients", "outside" and "upstream" depends on the settings of the DNS server. Does it serve only its zone? Is it a recursive resolver for some clients? ... more informations needed – A.B Nov 03 '17 at 20:09

1 Answers1

4

A standard DNS query is made by Client from any port, to UDP/53 DNS Server port.

Then, DNS Server answer from UDP/53 to any client port :

Client:Any ---query--> DNSServer:UDP/53 --
                                          |
Client:Any <--answer-- DNSServer:UDP/53 -<

As a sample, iptables rules for Client would look like this :

iptables -A OUTPUT -d DNSServer -p udp -dport 53 -j ACCEPT
iptables -A INPUT -s DNSServer -p udp -sport 53 -j ACCEPT

Basically, DNS queries uses UDP unless queries/answer are less or equal than 512 bytes.

If a DNS query/response exceeds 512 bytes then protocol will switch to TCP/53. You will need TCP only in cases when DNS Servers have to speak together, for zone transfert (axfr) as a sample.

krisFR
  • 13,280
  • 4
  • 36
  • 42
  • 1
    The 512 byte limit does not hold true with EDNS0 in use, it allows larger payloads over UDP (up to 4096 bytes). Still, the same logic applies, if the max payload is exceeded a truncated response is sent and the client switches to TCP. This is basically what you said (with just a possibly increased max payload), but that also means that the very last bit about TCP only being needed for AXFR is simply untrue. Open both `53/udp` and `53/tcp` for things to work as intended. – Håkan Lindqvist Nov 04 '17 at 00:11
  • 1
    Well thank you for the point ! basics remains true : open UDP/53 for basic DNS queries, open TCP/53 for DNS Server trafic exchange. No need TCP for a basic DNS query – krisFR Nov 04 '17 at 00:23
  • 1
    I agree so far as that `53/udp` is typically preferred for regular queries (although it's perfectly valid for a client go straight for `53/tcp`), but in any situation where the response didn't fit (signaled via the TC flag), the client is expected to upgrade to TCP and retry. Hence, there are perfectly valid basic queries that break if you block `53/tcp`. Both `53/udp` and `53/tcp` are expected to be available. – Håkan Lindqvist Nov 04 '17 at 00:23
  • 1
    I totally agree : both tcp and udp are valid for a regular query ! Overflow in a query/response could cause a fallback to TCP, and should be handled by FW rule. Both TCP and UDP 53 are valid, we are agree. thank you – krisFR Nov 04 '17 at 00:32