UDP port 53 connections

Unanswered Question
Aug 20th, 2009

My logs are indicating udp 53 connections to my primary windows2003 domain controller located on the inside of my ASA5510 from outside sources...are these DNS connections related to the stateful connections initiated from the domain controller?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Jon Marshall Thu, 08/20/2009 - 03:59


I don't have access to a firewall these days but if you do could you check something for me.

My understanding was that UDP is "pseudo-stateful" on a stateful firewall ie. it isn't truely stateful as you say because there are no flags (SYN/ACK/FIN/RST) but a stateful firewall still keeps a pseudo state by recording the src/dst IP and port numbers and using a timer ie. when it sees the initial UDP packet go out it sets a timer and if it sees the response based on IP and port numbers within the specified time it assumes it is part of the same connection.

What i can't remember is if the connection is initiated from inside to the outside and an entry is made in the state table, for UDP does the return traffic also put an entry into the state table. My understanding was that it didn't because it just used the existing entry.

So i would have said if the OP is seeing in his logs connections to his domain controller these can't be responses to outbound queries but new connections.

Apologies for the long windedness, think i might need to bone up on my firewall knowledge again :-)


boondocker Thu, 08/20/2009 - 06:20

Is this something I should worry about, is there anyway of blocking these replies to my primary DC?

Thanks all

Jon Marshall Thu, 08/20/2009 - 08:56


Not sure it is replies to outbound connections. Does your acl on the outside interface allow DNS queries ? - could you post your acl.



Sorry for the late reply - been busy.

You are correct - the firewall will keep track of the "connection" thru itself, using src/dst ip with src/dst port numbers - also binding them into a NAT/PAT table also used to some extent for verification of a valid session. Any connectionless protocol passing-thru the firewall will be only be closed after the timeout.

I suppose the question is - is there an acl to permit DNS queries sourced from the outside to the Domain Controller??

No worries Jon!

Jon Marshall Thu, 08/20/2009 - 08:57


Thanks for that. It's one of those things where you've seen it a thousand times but as i don't have access to a firewall i just wasn't sure.

"I suppose the question is - is there an acl to permit DNS queries sourced from the outside to the Domain Controller??"

Yes, that as my thinking as well.



This Discussion