Is port 53 required for both incoming and outgoing
Eric Smith
We have a primary NS on a network which has port 53 open for
outgoing traffic only tcp and udp - not incoming traffic.
Is it still possible to run bind on this machine which is the
primary NS for a domain?
Thanks
Eric SMith
Michael Breton
Yes, as long at the origin of the queries to this DNS server is not from the
other side of the firewall.
If there will be queries from the outside, then you need to allow al least
UDP 53 incoming as well. If there will be zone transfers from outside, you
will need TCP 53 also.
Michael Breton
Commtel
Ken Hays
How are queries to get to it if you do not open port 53
coming into the unit?
Later, Ken
Eric Smith wrote:
>
> Hi
>
> We have a primary NS on a network which has port 53 open for
> outgoing traffic only tcp and udp - not incoming traffic.
>
> Is it still possible to run bind on this machine which is the
> primary NS for a domain?
>
> Thanks
>
> Eric SMith
--
---------------------------------------------------------------------
Kenneth M. Hays ha...@acns.fsu.edu
Academic Computing and Network Services aka kmh8 at the NIC
Florida State University voice=850-644-2591x129
2035 East Paul Dirac Drive fax=850-644-8722
Tallahassee, Florida 32306-2760 eFax=773-913-0894
---------------------------------------------------------------------
Barry Margolin
By "primary NS", do you mean it's the master server for some zones? If so,
the slaves will connect to its port 53. If it's an advertised server as
well (i.e. it's listed in the NS records in the zone and/or the delegation
records in the parent zone) then caching servers will also need to connect
to its port 53. You need to allow incoming traffic to port 53 so that it
can answer all these queries.
If it's a caching-only server, only outbound port 53 is necessary.
--
Barry Margolin, barry.m...@level3.com
Level(3), Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.
Mark_A...@isc.org
> > -----Original Message-----
> > From: Eric Smith [mailto:e...@fruitcom.com]
> > Sent: Friday, November 07, 2003 7:38 AM
> > To: comp-protoc...@isc.org
> > Subject: Is port 53 required for both incoming and outgoing
> >
> >
> > Hi
> >
> > outgoing traffic only tcp and udp - not incoming traffic.
> >
> > Is it still possible to run bind on this machine which is the
> > primary NS for a domain?
>
> other side of the firewall.
>
> If there will be queries from the outside, then you need to allow al least
> UDP 53 incoming as well. If there will be zone transfers from outside, you
> will need TCP 53 also.
Michael please don't give advice like this again. The
general answer to which transport protocols that should be
open for DNS is *both* TCP and UDP. You answer made lots
of assumptions which just don't hold in the general case.
You have to allow both UDP and TCP incoming. Ordinary
queries can come in via TCP as well as UDP. Access control
for zone transfers should be done in the server.
As for outgoing the best general solution is to use a
stateful firewall. This will allow queries from any DNS
client to receive answers (helps with trouble shooting).
e.g.
allow out [TCP|UDP] from any port any to any port 53 keepstate.
If you don't have a stateful firewall you will need to force
the UDP queries from named to come from a known port (usually
53 is used as it needs to be open for queries). TCP queries
will come from a source port allocated by the kernel. You
will need to check for established state on the reply
traffic. See query-source, notify-source and transfer-source.
Mark
> Michael Breton
> Commtel
>
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.A...@isc.org