I have unblocked port 53 on my firewall config , but still my firewall is blocking my dns lookup.

I know the dns lookup is working because if i change my default INPUT policy to ACCEPT, then the name resolution is done correctly .

This is the iptables script

Generated by iptables-save v1.3.5 on Fri Dec  3 12:23:49 2010
*filter
:INPUT DROP [41:3304]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [558:59294]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 22 -j ACCEPT
-A INPUT -s 172.16.0.134 -p tcp -m tcp --sport 1024:65535 --dport 80 -j ACCEPT
-A INPUT -s 172.16.0.134 -p tcp -m tcp --sport 1024:65535 --dport 443 -j ACCEPT
-A INPUT -s 172.16.0.134 -p tcp -m tcp --sport 1024:65535 --dport 20 -j ACCEPT
-A INPUT -s 172.16.0.134 -p tcp -m tcp --sport 1024:65535 --dport 21 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -s 172.16.0.4 -j DROP
-A OUTPUT -s 172.16.0.136 -j DROP
-A OUTPUT -s 172.16.0.135 -j DROP
COMMIT
# Completed on Fri Dec  3 12:23:49 2010 <code>

iptables -L yields

[root@saas-dev-dcpc ~]# iptables -L
 Chain INPUT (policy DROP)
 target     prot opt source               destination
 ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:65535 dpt:ssh
 ACCEPT     tcp  --  172.16.0.134         anywhere            tcp spts:1024:65535 dpt:http
 ACCEPT     tcp  --  172.16.0.134         anywhere            tcp spts:1024:65535 dpt:https
 ACCEPT     tcp  --  172.16.0.134         anywhere            tcp spts:1024:65535 dpt:ftp-data
 ACCEPT     tcp  --  172.16.0.134         anywhere            tcp spts:1024:65535 dpt:ftp
 ACCEPT     icmp --  anywhere             anywhere            icmp any
 ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:mdns
 ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
 ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain

 Chain FORWARD (policy ACCEPT)
 target     prot opt source               destination

 Chain OUTPUT (policy ACCEPT)
 target     prot opt source               destination
 DROP       all  --  172.16.0.4           anywher
 DROP       all  --  172.16.0.136         anywhere
 DROP       all  --  172.16.0.135         anywhere

 Chain RH-Firewall-1-INPUT (0 references)
 target     prot opt source               destination 

I think this would be solved if you added a -m state --state RELATED,ESTABLISHED -j ACCEPT rule to all the chains. It looks like you may be allowing DNS traffic in one direction only.

Alternately, try rules with --sport 53 too.


So your DNS packets are being blocked by the INPUT chain's DROP policy, even though you clearly have iptables rules that should ACCEPT incoming UDP and TCP packets to port 53. That is strange. To get more clues about what is going wrong, add a LOG rule to the end of your iptables ruleset, as follows:

iptables -A INPUT -j LOG

Do some DNS queries and see what (if anything) shows up in the system log files (probably /var/log/syslog and/or /var/log/messages). If incoming DNS query packets are getting dropped, they will be logged by the above rule.

If nothing shows up in the logs, then something else is going wrong that is preventing your DNS server from responding. Not knowing anything about your system, I will not hazard many guesses, but I do note that you have not excluded the loopback adapter from INPUT filtering.

Try adding the following to the top your ruleset:

-A INPUT -i lo -j ACCEPT

Even if this doesn't fix your problem, it's probably a good idea to include this rule anyway, since some programs depend on a functioning loopback adapter to work correctly.