• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

IPFW rules for DNS Resolvers

manju_kalita

New Member


Messages: 9

#1
Hi All,

I have the Resolver server in open and need to use IPFW rules for security of the server. First I configured the following rules to open 53 for DNS queries -

For incoming queries:
Code:
allow udp from any to <Resolver external VIP> dst-port 53 keep-state
For Recursive
Code:
allow udp from any to <Resolver external VIP> dst-port 53 keep-state
But the default kernel limit for dynamic rules is 256 (default of net.inet.ip.fw.dyn_buckets in /etc/sysctl.conf). When I activated resolver with dynamic rules, as the DNS query sources cross a certain limit, collision occurs and the connection to the server also has gone down. Resolver also stopped working as both the way it was using dynamic rules for port 53.

If we configure the Resolver with the following static rules, everything should work –

For recursive queries:
Code:
allow udp from me to any dst-port 53
allow udp from any 53 to me
For Incoming DNS queries:
Code:
allow udp from any to <Resolver external VIP > dst-port 53
allow udp from <Resolver external VIP> 53 to any
Please let me know if there is a limit for static rules too. I could not find anything related to this in google.

Thanks & Regards,
Manju
 

manju_kalita

New Member


Messages: 9

#2
Guys,
One correction - I used the following dynamic rules first which were not working because of the bucket limits.

For incoming queries:
Code:
allow udp from any to <Resolver external VIP> dst-port 53 keep-state
For Recursive queries:
Code:
allow udp from me to any dst-port 53 keep-state

Thanks & Regards,
Manju
 

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 5,508
Messages: 25,692

#3
You need to allow both TCP and UDP to port 53.
 

manju_kalita

New Member


Messages: 9

#4
I have tested for UDP on development server and its working good. As DNS queries are UDP package, I allowed only UDP to the server. Any particular reason why we also need TCP on port 53?

Thanks & Regards,
Manju
 

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 5,508
Messages: 25,692

#5
manju_kalita said:
As DNS queries are UDP package, I allowed only UDP to the server. Any particular reason why we also need TCP on port 53?
Because DNS uses both UDP and TCP. If a query and answer doesn't fit in a UDP packet it'll use TCP. Windows machines are also quite fond of doing DNS via TCP.