How to Properly Configure iptables to Open Port 53 for DNS Services on CentOS


2 views

When configuring DNS services on CentOS, many administrators encounter issues with port 53 accessibility despite seemingly correct iptables rules. The original configuration shows common mistakes that prevent proper DNS functionality:

-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT

There are several problems with this initial approach:

  1. The INPUT rule only allows outgoing responses (--sport) rather than incoming requests
  2. Missing TCP rules for DNS zone transfers (though UDP is primary for queries)
  3. No consideration for stateful tracking of connections

Here's the proper way to configure iptables for DNS services:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

# DNS Inbound (UDP)
-A INPUT -p udp -m state --state NEW,ESTABLISHED -m udp --dport 53 -j ACCEPT

# DNS Inbound (TCP)
-A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 53 -j ACCEPT

# DNS Outbound
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT

# Related/Established connections
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Loopback
-A INPUT -i lo -j ACCEPT

After applying these rules, verify with:

# Check iptables rules
iptables -L -n -v

# Test DNS resolution
dig @your_server_ip example.com

# Port scan verification
nmap -sU -p 53 your_server_ip

Problem: DNS queries work but responses don't return
Solution: Ensure both NEW and ESTABLISHED states are allowed in INPUT chain

Problem: Zone transfers fail
Solution: Add TCP rules (DNS uses TCP for transfers >512 bytes)

Problem: Rules don't persist after reboot
Solution: Save rules with service iptables save or iptables-save > /etc/sysconfig/iptables

For enhanced security, consider:

# Rate limiting to prevent abuse
-A INPUT -p udp --dport 53 -m limit --limit 5/second -j ACCEPT
-A INPUT -p udp --dport 53 -j DROP

Or restricting access to specific networks:

-A INPUT -p udp -s 192.168.1.0/24 --dport 53 -j ACCEPT

When setting up DNS services on CentOS, many administrators encounter issues where port 53 fails to open despite seemingly correct iptables rules. The key problem often lies in misunderstanding the traffic flow direction and protocol requirements.

The original rules shown in the question:

-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT

These rules have two fundamental issues:

  1. They only handle UDP traffic, ignoring TCP (DNS can use TCP for large queries)
  2. The INPUT rule uses --sport (source port) when it should use --dport (destination port)

Here's the proper configuration for both UDP and TCP DNS traffic:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]

# DNS Inbound Rules
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT

# DNS Outbound Rules
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT

# Allow established connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -j ACCEPT

COMMIT

After applying these rules:

# Save rules
service iptables save
# Restart iptables
service iptables restart

# Check port status
nmap -sU -p 53 localhost
nmap -sT -p 53 localhost

# Test DNS resolution
dig @localhost example.com

Issue 1: Port still appears closed

Check if DNS service is actually running:

netstat -tulnp | grep 53

Issue 2: SELinux blocking access

Check and temporarily disable SELinux for testing:

setenforce 0
getenforce

Issue 3: Multiple conflicting rules

List all rules with line numbers:

iptables -L -n --line-numbers

For more secure setups, consider these additional rules:

# Rate limiting to prevent DNS amplification attacks
-A INPUT -p udp --dport 53 -m limit --limit 5/second -j ACCEPT

# Restricting DNS access to specific networks
-A INPUT -p udp -s 192.168.1.0/24 --dport 53 -j ACCEPT
-A INPUT -p tcp -s 192.168.1.0/24 --dport 53 -j ACCEPT