To allow a DNS server to operate use the following rules (assuming your blocking inbound and outbound in iptables)

DNS communicated in to destination port 53 but can come from any port in the upper range. So these rules require a large section of ports to allow access as long as they want to talk to 53.

iptables -A OUTPUT -p udp –dport 53 –sport 1024:65535 -j ACCEPT

iptables -A INPUT -p udp –dport 53 –sport 1024:65535 -j ACCEPT

© 2010, Joseph Griffiths. All rights reserved.

6 Thoughts to “iptables rules for DNS server”

  1. As a note to the next reader, be aware that the long dashes above should be double dashes. That is –dport should read –dport

  2. This didn’t work for me. I had to use:
    iptables -A OUTPUT -p udp –sport 53 -j ACCEPT
    iptables -A INPUT -p udp –dport 53 -j ACCEPT

  3. Thanks for reading you are correct that if you are going to be doing most DNS replication you must be include TCP and UDP. On bind you can configure this replication to be UDP only if desired. I would always use TCP.

Leave a Reply