Linux Iptables block or open DNS / bind service port 53

Author: Vivek Gite Last updated: July 13, 2005 4 comments

The domain name service provided by BIND (named) software. It uses both UDP and TCP protocol and listen on port 53. DNS queries less than 512 bytes are transferred using UDP protocol and large queries are handled by TCP protocol such as zone transfer.

i) named/bind server – TCP/UDP port 53

ii)Client (browser, dig etc) – port > 1023

Allow outgoing DNS client request:

Following iptables rules can be added to your shell script.

SERVER_IP is your server ip address

DNS_SERVER stores the nameserver (DNS) IP address provided by ISP or your own name servers.

Following rules are useful when you run single web/smtp server or even DSL/LL/dialup Internet connections:

SERVER_IP="202.54.10.20"
DNS_SERVER="202.54.1.5 202.54.1.6"
for ip in $DNS_SERVER
do
iptables -A OUTPUT -p udp -s $SERVER_IP --sport 1024:65535 -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -s $ip --sport 53 -d $SERVER_IP --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT-p tcp -s $SERVER_IP --sport 1024:65535 -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s $ip --sport 53 -d $SERVER_IP --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
done

(B) Allow incoming DNS request at port 53:

Use following rules only if you are protecting dedicated DNS server.

SERVER_IP is IP address where BIND(named) is listing on port 53 for incoming DNS queries.

Please note that here I’m not allowing TCP protocol as I don’t have secondary DNS server to do zone transfer.

SERVER_IP="202.54.10.20"
iptables -A INPUT -p udp -s 0/0 --sport 1024:65535 -d $SERVER_IP --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -s $SERVER_IP --sport 53 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -s 0/0 --sport 53 -d $SERVER_IP --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -s $SERVER_IP --sport 53 -d 0/0 --dport 53 -m state --state ESTABLISHED -j ACCEPT

Please note if you have secondary server, add following rules to above rules so that secondary server can do zone transfer from primary DNS server:

DNS2_IP="202.54.10.2"
iptables -A INPUT -p tcp -s $DNS2_IP --sport 1024:65535 -d $SERVER_IP --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $SERVER_IP --sport 53 -d $DNS2_IP --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 4 comments so far... add one
Related Posts
CategoryList of Unix and Linux commands
Disk space analyzersncdu pydf
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
4 comments… add one
  • sims Apr 3, 2009 @ 14:27

    Hey buddy,

    check out this line in your how to:

    iptables -A OUTPUT-p

    Poor copy and pasters

    Reply Link
  • sims Apr 3, 2009 @ 15:06

    Also say your running a name server and you need to communicate with any name servers:


    IPADDR=xxx.xxx.xxx.xxx
    UNPRIVPORTS="1024:65535"
    iptables -A OUTPUT -p udp -s $IPADDR --sport $UNPRIVPORTS -d 0/0 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A INPUT -p udp -s 0/0 --sport 53 -d $IPADDR --dport $UNPRIVPORTS -m state --state ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -p tcp -s $IPADDR --sport $UNPRIVPORTS -d 0/0 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A INPUT -p tcp -s 0/0 --sport 53 -d $IPADDR --dport $UNPRIVPORTS -m state --state ESTABLISHED -j ACCEPT

    Reply Link
  • Crisu Feb 4, 2010 @ 17:44

    Hi guys, don’t know it is right place to post it but i’d like to ask does any of you know how to change that port 53 to port 25. Our profesors in scool gave us something like this to solve.

    Reply Link
  • Tricky Nov 3, 2010 @ 6:37

    For pure and simple DNS client (not hosting DNS server and so on), I scripted it as follows:
    for dnsserverip in `grep nameserver /etc/resolv.conf | sed 's/.* //'` ; do
    /usr/sbin/iptables -A INPUT -p udp --dport 53 -s $dnsserverip -m state --state NEW -j ACCEPT
    /usr/sbin/iptables -A INPUT -p tcp --dport 53 -s $dnsserverip -m state --state NEW -j ACCEPT
    done

    I also have separate lines in my generic iptables script globally allowing “ESTABLISHED,RELATED”, negating the need for adding these parameters elsewhere.

    Reply Link

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum

Next post:

Previous post:

Sign up for my newsletter

Sign up for my newsletter