# IPFW rules for DNS Resolvers



## manju_kalita (Jan 3, 2011)

Hi All,

I have the Resolver server in open and need to use IPFW rules for security of the server. First I configured the following rules to open 53 for DNS queries - 

For incoming queries: 

```
allow udp from any to <Resolver external VIP> dst-port 53 keep-state
```

For Recursive 

```
allow udp from any to <Resolver external VIP> dst-port 53 keep-state
```

But the default kernel limit for dynamic rules is 256 (default of net.inet.ip.fw.dyn_buckets in /etc/sysctl.conf). When I activated resolver with dynamic rules, as the DNS query sources cross a certain limit, collision occurs and the connection to the server also has gone down. Resolver also stopped working as both the way it was using dynamic rules for port 53. 

If we configure the Resolver with the following static rules, everything should work â€“

For recursive queries: 

```
allow udp from me to any dst-port 53
allow udp from any 53 to me
```

For Incoming DNS queries: 

```
allow udp from any to <Resolver external VIP > dst-port 53
allow udp from <Resolver external VIP> 53 to any
```

Please let me know if there is a limit for static rules too. I could not find anything related to this in google. 

Thanks & Regards,
Manju


----------



## manju_kalita (Jan 3, 2011)

Guys,
One correction - I used the following dynamic rules first which were not working because of the bucket limits.

For incoming queries: 

```
allow udp from any to <Resolver external VIP> dst-port 53 keep-state
```

For Recursive queries:

```
allow udp from me to any dst-port 53 keep-state
```
 

Thanks & Regards,
Manju


----------



## SirDice (Jan 3, 2011)

You need to allow both TCP and UDP to port 53.


----------



## manju_kalita (Jan 4, 2011)

I have tested for UDP on development server and its working good. As DNS queries are UDP package, I allowed only UDP  to the server. Any particular reason why we also need TCP on port 53?

Thanks & Regards,
Manju


----------



## SirDice (Jan 4, 2011)

manju_kalita said:
			
		

> As DNS queries are UDP package, I allowed only UDP  to the server. Any particular reason why we also need TCP on port 53?


Because DNS uses both UDP and TCP. If a query and answer doesn't fit in a UDP packet it'll use TCP. Windows machines are also quite fond of doing DNS via TCP.


----------

