holmesDonelan.COM

Minimum Packet Access Control List for DNS Servers

What are the minimum packet types required for the best DNS performance?

Although the Internet Standard RFCs list many requirements for hosts and routers, to obtain the best performance for DNS protocols and servers a basic subset of packet types is needed on the modern Internet (Summer 2007).

The assumptions are

Glossary of terms used

udp/tcp 53
Used as Destination port for DNS queries, transfers and notification. Also source port for older DNS versions.
udp/tcp ephemeral (>1023)
Used as Source port for DNS queries, transfers and notification.
icmp/packet-to-big
Used for TCP Path MTU Discovery. Sent by any Gateway/Router if packet exceeds Maximum Transmission Unit size and Don't Fragement is specified
icmp/port-unreachable
Used to detect lame or failed DNS servers and quickly retry another server.
icmp/echo and icmp/echo-reply
Used for global load balancers to estimate the latency and return different DNS answers
RoutedIP
Any currently reachable unicast IP address on the network
UnicastIP
Any public or private routable unicast IP address
GatewayIP
IP address of the local gateway/router interfaces
InternalIP
Any internal IP address used by customers, employees, etc. May be the entire Internet for open recursive DNS servers
TransferIP
IP address of remote server which exchanges zone files with the DNS server
ServerIP
IP address of the local DNS server
StubIP
IP address of the DNS clients

Recursive (Caching, Resolving) Single Interface DNS server

See footnote about ephemeral ports or Should use Stateful Packet Inspection
This is the most likely configuration used by most DNS systems.
    Inbound    RoutedIP     udp/any                ServerIP    udp/53
    Inbound    RoutedIP     tcp/any                ServerIP    tcp/53
    Inbound    RoutedIP     udp/53                 ServerIP    udp/ephemeral (>1023)    timeout
    Inbound    RoutedIP     tcp/53                 ServerIP    tcp/ephemeral (>1023)    established
    Inbound    RoutedIP                            ServerIP    icmp/echo (8/0)          rate-limit
    Inbound    RoutedIP                            ServerIP    icmp/port-unreachable (3/3)
    Inbound    UnicastIP                           ServerIP    icmp/packet-to-big (3/4)

    Outbound   ServerIP     udp/53                 RoutedIP    udp/any
    Outbound   ServerIP     tcp/53                 RoutedIP    tcp/any
    Outbound   ServerIP     udp/ephemeral(>1023)   RoutedIP    udp/53
    Outbound   ServerIP     tcp/ephemeral(>1023)   RoutedIP    tcp/53
    Outbound   ServerIP                            RoutedIP    icmp/echo-reply (0/0)
    Outbound   ServerIP                            RoutedIP    icmp/port-unreachable (3/3)
    Outbound   GatewayIP                           RoutedIP    icmp/packet-to-big (3/4)

Recursive (Caching, Resolving) Split Interface DNS server

Client Answering Interface (Should use Stateless Packet Inspection)
    Inbound    InternalIP   udp/any                ServerIP    udp/53
    Inbound    InternalIP   tcp/any                ServerIP    tcp/53
    Inbound    UnicastIP                           ServerIP    icmp/packet-to-big (3/4)

    Outbound   ServerIP     udp/53                 InternalIP  udp/any
    Outbound   ServerIP     tcp/53                 InternalIP  tcp/any
    Outbound   ServerIP                            InternalIP  icmp/port-unreachable (3/3)
    Outbound   GatewayIP                           InternalIP  icmp/packet-to-big (3/4)
Query Sending Interface (See footnote about ephemeral ports or Should use Stateful Packet Inspection)
    Inbound    RoutedIP     udp/53                 ServerIP    udp/ephemeral (>1023)    timeout
    Inbound    RoutedIP     tcp/53                 ServerIP    tcp/ephemeral (>1023)    established
    Inbound    RoutedIP     udp/53                 ServerIP    udp/53 (older DNS)       timeout
    Inbound    RoutedIP     tcp/53                 ServerIP    tcp/53 (older DNS)       established
    Inbound    RoutedIP                            ServerIP    icmp/echo (8/0)          rate-limit
    Inbound    RoutedIP                            ServerIP    icmp/port-unreachable (3/3)
    Inbound    UnicastIP                           ServerIP    icmp/packet-to-big (3/4)

    Outbound   ServerIP     udp/ephemeral(>1023)   RoutedIP    udp/53
    Outbound   ServerIP     tcp/ephemeral(>1023)   RoutedIP    tcp/53
    Outbound   ServerIP     udp/53 (older DNS)     RoutedIP    udp/53
    Outbound   ServerIP     tcp/53 (older DNS)     RoutedIP    tcp/53
    Outbound   ServerIP                            RoutedIP    icmp/echo-reply (0/0)
    Outbound   GatewayIP                           RoutedIP    icmp/packet-to-big (3/4)

Non-recursive (Authoritative, Advertising) DNS server without notify or transfer

Should use Stateless Packet Inspection
    Inbound    RoutedIP     udp/any                ServerIP   udp/53
    Inbound    RoutedIP     tcp/any                ServerIP   tcp/53
    Inbound    UnicastIP                           ServerIP   icmp/packet-to-big (3/4)

    Outbound   ServerIP     udp/53                 RoutedIP   udp/any
    Outbound   ServerIP     tcp/53                 RoutedIP   tcp/any
    Outbound   ServerIP                            RoutedIP   icmp/port-unreachable (3/3)
    Outbound   GatewayIP                           RoutedIP   icmp/packet-to-big (3/4)

Non-recursive (Authoritative, Advertising) DNS server with notify or transfer

See footnote about ephemeral ports or Should use Stateful Packet Inspection
    Inbound    RoutedIP     udp/any                ServerIP   udp/53
    Inbound    RoutedIP     tcp/any                ServerIP   tcp/53
    Inbound    TransferIP   udp/53                 ServerIP   udp/ephemeral (>1023)     timeout
    Inbound    TransferIP   tcp/53                 ServerIP   tcp/ephemeral (>1023)     established
    Inbound    TransferIP                          ServerIP   icmp/port-unreachable (3/3)
    Inbound    UnicastIP                           ServerIP   icmp/packet-to-big (3/4)

    Outbound   ServerIP     udp/53                 RoutedIP   udp/any
    Outbound   ServerIP     tcp/53                 RoutedIP   tcp/any
    Outbound   ServerIP     udp/ephemeral(>1023)   TransferIP udp/53                    timeout
    Outbound   ServerIP     tcp/ephemeral(>1023)   TransferIP tcp/53                    established
    Outbound   ServerIP                            RoutedIP   icmp/port-unreachable (3/3)
    Outbound   GatewayIP                           RoutedIP   icmp/packet-to-big (3/4)

Stub Resolver (Forwarding) DNS client

See footnote about ephemeral ports or Should use Stateful Packet Inspection
    Inbound    ServerIP     udp/53                 StubIP      udp/ephemeral (>1023)    timeout
    Inbound    ServerIP     tcp/53                 StubIP      tcp/ephemeral (>1023)    established
    Inbound    ServerIP     udp/53                 StubIP      udp/53 (older DNS)       timeout
    Inbound    ServerIP     tcp/53                 StubIP      tcp/53 (older DNS)       established
    Inbound    ServerIP                            StubIP      icmp/port-unreachable (3/3)
    Inbound    UnicastIP                           StubIP      icmp/packet-to-big (3/4)

    Outbound   StubIP       udp/ephemeral(>1023)   ServerIP    udp/53
    Outbound   StubIP       tcp/ephemeral(>1023)   ServerIP    tcp/53
    Outbound   StubIP       udp/53 (older DNS)     ServerIP    udp/53
    Outbound   StubIP       tcp/53 (older DNS)     ServerIP    tcp/53
    Outbound   GatewayIP                           ServerIP    icmp/packet-to-big (3/4)

*Ephemeral ports: The default range on older systems was 1024-5000; however it is better change the ephemeral port range on the system to a high range e.g. 32768-65535 avoiding ports used by other applications running on the same server. Review your DNS software and operating system documentation for instructions how to change port ranges. DNS software which use pools of source ports increase the difficulty of blind DNS reply attacks.

Stateful Packet Inspection and system stacks must match packets across icmp, udp and tcp protocols to prevent blind protocol attacks.

*Broadcast/Multicast: Although some DNS RFCs reference the use of broadcast/multicast, no DNS servers I know reply to broadcast or multicast queries. A new protocol called mDNS (multicast DNS) uses TCP/UDP port 5353 and is separate from DNS.



Copyright © 2007 Sean Donelan