Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

tcp on port 53 for dns - security/firewall questions

Discussion in 'Bind/DNS/Nameserver' started by morrow95, Oct 4, 2015.

  1. morrow95

    morrow95 Well-Known Member

    Joined:
    Oct 8, 2006
    Messages:
    123
    Likes Received:
    3
    Trophy Points:
    168
    Setting up a new server... I was checking dns using http://www.dnsstuff.com/ and noticed that my nameserver do not respond to tcp. I did a little research and came across this article http://www.networkworld.com/article/2231682/cisco-subnet/cisco-subnet-allow-both-tcp-and-udp-port-53-to-your-dns-servers.html and some others and would like to go ahead and enable this.

    Background info : This is a vpc setup whereas I have always used a dedicated in the past. At my registrar I have registered my private nameservers with the domain and everything is working fine.

    With that said, I looked at my iptables config and both tcp and udp on port 53 are allowed by default with whm/cpanel. All good there.

    My edge device, however, is not allowing tcp. I have these firewall rules in place at the moment :
    outbound dns internal:any > any:53 udp
    inbound dns1 any:any > (ip of nameserver1):53 udp
    inbound dns2 any:any > (ip of nameserver2):53 udp

    My question is... what is the correct AND secure way to allow tcp here? From the reading I did it appears that tcp on port 53 is a security risk because hackers can perform zone transfers and map out information which they should probably not be allowed (still a little unclear exactly how that works) - which is why tcp is usually blocked by most people, however, it is now starting to be used for things like dnssec, ipv6, etc and should be opened. So, with that said, is there a secure way to allow this and if so what are the firewall rules in this case that need applied?

    Any help/information from someone knowledgeable about this would be great.
     
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,197
    Likes Received:
    1,936
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice