cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5198
Views
0
Helpful
1
Replies

Is it necessary to permit udp eq domain through firewall?

DaleKnutsen
Level 1
Level 1

In the firewall configuration I inherited, I see the firewall allows inbound DNS packets when coming from a designated external DNS server, for example:

access-list 101 permit udp host 206.13.31.12 eq domain host <myNetOutsideAddress>

Is it necessary or desirable to do this? If this were TCP I think the answer would be "no" since DNS is a connectionless protocol, but for udp I am unsure.

My network has an internal DNS server for internal name lookup, but the internal names are not usable nor intended to be used from outside.

1 Accepted Solution

Accepted Solutions

andrew.prince
Level 10
Level 10

No - this will allow any "un-triggered/un-requested" DNS updates to be sent to your DNS server.

If any clients on your "inside" need to resolve, as long as you are not blocking inside<>outside then the DNS reply that was initiated from the inside will be dynamically allowed thru.

HTH>

View solution in original post

1 Reply 1

andrew.prince
Level 10
Level 10

No - this will allow any "un-triggered/un-requested" DNS updates to be sent to your DNS server.

If any clients on your "inside" need to resolve, as long as you are not blocking inside<>outside then the DNS reply that was initiated from the inside will be dynamically allowed thru.

HTH>

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: