Firewall BIND

[IuckDuth]

Hello, I have problem with firewall. When the firewall is stopped I have connection with port 53 from external ip. When firewall is with status: start; I can't connect to port 53 except localhost.

I using this line to 'open' the port;

pass in on $ext_if proto tcp to ($ext_if) port 53

Thank you

 

[graudeejs]

You need proto udp
Actually DNS can use both (tcp and udp) but I haven't seen tcp ever (But, you know, I'm not sys admin either)

Also you need to pass packets out. I don't remember how to do this correctly with pf, either add keep state or make another rule, to pass dns out.
I think keep state should work though.

 

[throAU]

I suspect DNS uses TCP sometimes for things like zone transfers - but either way the spec is that DNS uses both UDP and TCP so you need to allow both, as above.

 

[DutchDaemon]

DNS also uses TCP for replies bigger than 512 bytes (which is the UDP maximum payload for this service). You must allow tcp/53 for DNS in/out to work. Unwanted zone transfers must be disallowed in named.conf.