DNS
DNS is used to look up names and IP addresses. It usually uses a high port on the client and port 53 on the server. When two DNS servers send data from one to the other, both usually use port 53. UDP is used for individual queries and TCP to transfer entire zones. Transferring of zones are, for example, used when a secondary name server gets information from a primary name server.
Some examples of clients are web browsers; Netscape, Internet Explorer, Lynx, etc. The client usually uses a high port and the server usually port 53. They use UDP as the protocol for transferring questions and answers. A query might also originate from a DNS server forwarding a query from a client program to another DNS server.
When a client program queries a name server and the name server has to query another name server, the queries and data are sent with UDP from port 53 to port 53.
Both UDP and TCP are used for zone transfers. First, a little data is sent with UDP in the same way as when a name server asks another name server for a name or IP address. Then, a TCP connection is made from a high port on the secondary name server to port 53 on the primary name server.
Some versions of Windows contain programs that sends DNS queries from port 137. If you use such programs you have to change 53, 1024-65535 to 53,137,1024-65535 in the examples below.
DNS (no NAT)
Set up the following services for DNS:
| Services | ||||
|---|---|---|---|---|
| Name | Protocol | Firewall type | Client ports | Server ports |
| dns | UDP | Packet filter | 53, 1024-65535 | 53 |
| dns-reply | UDP | Packet filter | 53 | 53, 1024-65535 |
| dns-tcp | TCP | Dynamic session management | 1024-65535 | 53 |
DNS requires rules for both directions through the firewall. See the figure on the previous page.
Incoming DNS configuration
To allow DNS queries to come in from the outside and a secondary DNS server on the outside to retrieve parts of or the entire database, enter the following rules for the internal server. Add a rule to allow the replies to get through:
Outgoing DNS configuration
To allow DNS queries to come out from the inside and a secondary DNS server on the inside to retrieve parts of or the entire database of an external primary DNS server, enter the following rules for external servers. Add a rule for incoming traffic to allow the replies to get through:
DNS (NAT)
Incoming DNS configuration
It is not common to allow DNS queries into a NAT:ed network, as the computers on this network are supposed to be hidden from the outside network. However, this is how to let the queries through.
For DNS queries from the outside to an internal DNS server, a UDP relay is needed (UDP relays can also be used when NAT isn't used). Define the relay under Relays:
| Relays | |||||
|---|---|---|---|---|---|
| Listen to ... | Relay to ... | Relay type | Allow access from | ||
| IP address | Port | DNS name or IP address | Port | Networks | |
| Outside (1.2.3.4) | 53 | DNS server | 53 | UDP relay | Internet |
The relay does not need a firewall rule for traffic in the other direction.
Outgoing DNS configuration
To query an external DNS server from the inside, firewall rules for outgoing traffic are needed. Since NAT is used, no rules for the reply traffic are needed.