LinuxQuestions.org - DNS reply port for firewall

- Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)

- - DNS reply port for firewall (https://www.linuxquestions.org/questions/linux-networking-3/dns-reply-port-for-firewall-123355/)

DNS reply port for firewall

Hi guys (and girls if any)
I am trying to build a system to be used as firewall/webserver. There is no DMZ needed, nor local network , as this is going to be the only server (and PC) connected to the internet.
I am searching what ports need to be open, so i can have a reply from the dns when pinging.
Example
when I ping on my local network to 192.168.0.72
it returns very well
when I ping to warlord.zeno.kot (which is 192.168.0.72) I get
unknown host warlord.zeno.kot
which ports need to be open
I have opened 53 and 1038, but that don't seem to be the right ones. Hope someone can help me.
thx
Steve aka Countcobolt

Do you block all exept 53 and 1038, in and out? If so, probably the answer dosn't come back (you send it using a port obove 1024, but you don't know which one will be used). I think it's a good idea to block all below 1024 (without the ones you need), but not those above. In a server configuration nothing listens using it, so it's not a big problem.

so I need to drop all ports from 0 -> 1024 and open everything else above?
And I start off with blocking tcp totally , so I will only need to do this for UDP or also for TCP?
been reading something about ICMP.
The end system should be a system whom replies to as less as possible
thx in advance

Please describe your configuration. Are you using a cable/dsl router? warlord.zeno.kot is not FQDN.

ICMP does not use TCP or UDP ports. It's a layer 3 protocol.

The problem is DNS resolution. Do not thing about it as a ping problem, because DNS is separate from ping. In fact, DNS is an application protocol that runs on top of the UDP and TCP network protocols, ping is only a tool that uses a small subset of the ICMP network layer protocol.

For DNS to work (i.e. outbound queries) you don't need any (inbound) ports open at all, but you must be able to open high (> 1023) ports to make requests (and if you're running named on that machine, you also need to allow port 53 to make outbound connections, since named usually is configured to send requests from this port). Your firewall must also be "stateful" (conntrack for iptables) so that it will remember the outbound requests and allow the corresponding reply.

Now further, it's entirely possible this is not even a DNS problem caused by firewall interferrence. In /etc/resolv.conf, what nameservers do you have listed? If you're using your ISPs nameservers only, they are not going to find "warlord.zeno.kot" because .KOT is not a valid gTLD (and even if it was, there is no authoritative nameserver for that zone).

You need your /etc/resolv.conf to point to a nameserver that has a zone configured for zeno.kot. As an alternative, you could place the line
192.168.0.72 warlord.zeno.kot warlord
In your /etc/hosts file and it would resolve fine (as long as /etc/host.conf lists "file" before "bind").

If you want to allow DNS requests to a server that has a firewall (note: I said TO, not FROM) then you need to open 53/UDP and 53/TCP (yes, BOTH--even if you're not allowing axfr/ixfr) for incoming connections.

I have internal DNS running on another machine in the internal .kot network.
Thx for the advice, first going to do some more thesis work and then I'll be checking this solution