Difference between revisions of "DNS firewall considerations"
From Notes_Wiki
(Created page with "=DNS firewall considerations= ==DNS server firewall configuration== On DNS server we need to allow incoming DNS queries on destination port 53. Hence we can use below config...") |
m |
||
| (One intermediate revision by the same user not shown) | |||
| Line 1: | Line 1: | ||
[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[Bind DNS server configuration]] > [[DNS firewall considerations]] | |||
=DNS server firewall configuration= | |||
On DNS server we need to allow incoming DNS queries on destination port 53. Hence we can use below configuration | On DNS server we need to allow incoming DNS queries on destination port 53. Hence we can use below configuration | ||
| Line 10: | Line 10: | ||
=DNS client firewall configuration= | |||
Note that DNS clients choose random UDP port to send DNS queries to port 53 of DNS server. Then DNS server replies to client on same port from source UDP port 53. Hence in order to allow DNS client to receive DNS replies without them getting filtered by firewall, we can use: | Note that DNS clients choose random UDP port to send DNS queries to port 53 of DNS server. Then DNS server replies to client on same port from source UDP port 53. Hence in order to allow DNS client to receive DNS replies without them getting filtered by firewall, we can use: | ||
| Line 21: | Line 22: | ||
*The filtering is based on source port and not destination port | *The filtering is based on source port and not destination port | ||
*For a process to be able to listen on port 53, super user privileges are required. Hence by ensuring that DNS requests go to port 53 we reduce the possibility of normal user running his/her own DNS server. Also since queries are sent from ports > 1024, a normal user process can query DNS server without any set-uid/set-gid etc. mechanisms. | *For a process to be able to listen on port 53, super user privileges are required. Hence by ensuring that DNS requests go to port 53 we reduce the possibility of normal user running his/her own DNS server. Also since queries are sent from ports > 1024, a normal user process can query DNS server without any set-uid/set-gid etc. mechanisms. | ||
[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[Bind DNS server configuration]] > [[DNS firewall considerations]] | |||
Latest revision as of 08:25, 10 March 2022
Home > CentOS > CentOS 6.x > Bind DNS server configuration > DNS firewall considerations
DNS server firewall configuration
On DNS server we need to allow incoming DNS queries on destination port 53. Hence we can use below configuration
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
in both '/etc/sysconfig/iptables' and '/etc/sysconfig/ip6tables' files so that DNS server can receive queries on both IPv4 and IPv6 addresses without getting blocked by firewall.
DNS client firewall configuration
Note that DNS clients choose random UDP port to send DNS queries to port 53 of DNS server. Then DNS server replies to client on same port from source UDP port 53. Hence in order to allow DNS client to receive DNS replies without them getting filtered by firewall, we can use:
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
in both '/etc/sysconfig/iptables' and '/etc/sysconfig/ip6tables' files.
Note:
- The filtering is based on source port and not destination port
- For a process to be able to listen on port 53, super user privileges are required. Hence by ensuring that DNS requests go to port 53 we reduce the possibility of normal user running his/her own DNS server. Also since queries are sent from ports > 1024, a normal user process can query DNS server without any set-uid/set-gid etc. mechanisms.
Home > CentOS > CentOS 6.x > Bind DNS server configuration > DNS firewall considerations
