When would I open Port 53 for DNS?

security linux domain-name-system firewall port

Locking down an application server. The server hosts a web app that is served via http. There are a few other ports open as well.

Port 53 is open for DNS. Why would I need this?

Extra: (Do not need to answer this but...) Would this command open that port using iptables in Linux

#  iptables -A INPUT -m tcp -p tcp --dport 53 -j ACCEPT

Solution 1:

Port 53 is open for DNS. Why would I need this?

You need to have UDP 53 allowed for responses to DNS queries that your server sends, as UDP is a stateless protocol. Don't block it if you want any kind of outbound connectivity, software updates, etc.

Note that for name resolution software in most modern operating systems that's been patched with DNS source port randomization, the source port of the queries (and thus, the destination port of the response) won't necessarily be 53; in those cases, it's probably safe (but unnecessary, unless you have a rogue DNS resolver listening) to block UDP port 53.

Would this command secure that port using iptables in Linux

You don't need to allow TCP 53 inbound unless your server is actually a DNS server. Your second command has -m udp -p tcp, which doesn't make a lot of sense.. typo?

Solution 2:

If only use your local network, use a local nameserver and have no connection to random sites on the Internet then you do not need to leave port 53 open. But if you do want to use the Internet then you need to be able to translate hostnames to IP addresses. For that you need DNS.

Solution 3:

When would you open port 53? I would assume when you are hosting DNS zones. Are you running DNS internally or subbing it out? If you run than you better have 53 open if you want anyone to get the records. As you said you have your DNS hosted elsewhere there is no reason to keep these ports open even with Vhosts and whatnot.

As far as the IPtables rule I'm not sure what you mean by secure, but that will open the port for you.

Solution 4:

DNS uses UDP port 53

Why would I need this?

If you want to use your server as a DNS server (for example you're hosting your own domains)

Related

Can I turn on HSTS for 1 subdomain
Choosing file system block size
PuTTY Fatal Error dialog - Can it be suppressed? [closed]
Storing and serving files securely for multiple clients
Postfix - accept all email to any user at any domain
Import XML into libvirt without booting virtual machine
How can I delay sshd login after bad password
monit: can't connect to the http interface
Puppet: Trying to configure puppet client for first use but got some problems with certificates
How to determine IP address is unicast or anycast? [closed]
vsftpd : limit connection to a set of IP addresses
ip link set not assigning IP Address but ifup does