Is it necessary to permit udp eq domain through firewall?

Answered Question
Aug 25th, 2009
User Badges:

In the firewall configuration I inherited, I see the firewall allows inbound DNS packets when coming from a designated external DNS server, for example:

access-list 101 permit udp host eq domain host <myNetOutsideAddress>

Is it necessary or desirable to do this? If this were TCP I think the answer would be "no" since DNS is a connectionless protocol, but for udp I am unsure.

My network has an internal DNS server for internal name lookup, but the internal names are not usable nor intended to be used from outside.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Correct Answer

No - this will allow any "un-triggered/un-requested" DNS updates to be sent to your DNS server.

If any clients on your "inside" need to resolve, as long as you are not blocking inside<>outside then the DNS reply that was initiated from the inside will be dynamically allowed thru.



This Discussion