Loading ...Linux Iptables block or open DNS / bind service port 53
The domain name service provided by BIND (named) software. It uses both UDP and TCP protocol and listen on port 53. DNS queries less than 512 bytes are transferred using UDP protocol and large queries are handled by TCP protocol such as zone transfer.
i) named/bind server – TCP/UDP port 53
ii)Client (browser, dig etc) – port > 1023
Allow outgoing DNS client request:
Following iptables rules can be added to your shell script.
SERVER_IP is your server ip address
DNS_SERVER stores the nameserver (DNS) IP address provided by ISP or your own name servers.
Following rules are useful when you run single web/smtp server or even DSL/LL/dialup Internet connections:
SERVER_IP="202.54.10.20" DNS_SERVER="202.54.1.5 202.54.1.6" for ip in $DNS_SERVER do iptables -A OUTPUT -p udp -s $SERVER_IP --sport 1024:65535 -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p udp -s $ip --sport 53 -d $SERVER_IP --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT-p tcp -s $SERVER_IP --sport 1024:65535 -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -s $ip --sport 53 -d $SERVER_IP --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT done
(B) Allow incoming DNS request at port 53:
Use following rules only if you are protecting dedicated DNS server.
SERVER_IP is IP address where BIND(named) is listing on port 53 for incoming DNS queries.
Please note that here I'm not allowing TCP protocol as I don't have secondary DNS server to do zone transfer.
SERVER_IP="202.54.10.20" iptables -A INPUT -p udp -s 0/0 --sport 1024:65535 -d $SERVER_IP --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p udp -s $SERVER_IP --sport 53 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -p udp -s 0/0 --sport 53 -d $SERVER_IP --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p udp -s $SERVER_IP --sport 53 -d 0/0 --dport 53 -m state --state ESTABLISHED -j ACCEPT
Please note if you have secondary server, add following rules to above rules so that secondary server can do zone transfer from primary DNS server:
DNS2_IP="202.54.10.2" iptables -A INPUT -p tcp -s $DNS2_IP --sport 1024:65535 -d $SERVER_IP --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp -s $SERVER_IP --sport 53 -d $DNS2_IP --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
Want to stay up to date with the latest Linux tips, news and announcements? Subscribe to our free e-mail newsletter or RSS feed to get all updates.
You can Email this page to a friend.
You may also be interested in other helpful articles:
- Linux Iptables block outgoing access to selected or specific ip address
- Linux: Iptables # 11 How to Block or open http/web service
- Linux Iptables: How to block or open mail server / SMTP protocol
- Linux : Iptables # 4 Block all incoming traffic but allow ssh
- Linux: Iptables # 14 How to allow POP3 server/protocol request
Leave a Reply
We encourage your comments, and suggestions. But please stay on topic, be polite, and avoid spam. Thank you very much for stopping by our site!
Tags: bind, dns_queries, domain_name_service, iptables_command, open_port_53, tcp_protocol, tcp_udp, udp_port, udp_protocol
Recent Comments
Today ~ 5 Comments
Today ~ 12 Comments
Today ~ 2 Comments
Today ~ 18 Comments
Today ~ 5 Comments