Donelan.COM

Minimum Packet Access Control List for DNS Servers

What are the minimum packet types required for the best DNS performance?

Although the Internet Standard RFCs list many requirements for hosts and routers, to obtain the best performance for DNS protocols and servers a basic subset of packet types is needed on the modern Internet (Summer 2007).

The assumptions are

• Only the DNS application is needed (probably not true)
• Diagnostic and troubleshooting information is NOT needed (probably not true)
• Authoritative DNS servers answer queries from the entire Internet
• Caching DNS servers answer queries from clients (which may be the entire Internet)
• Combination DNS servers perform both functions, which means the entire Internet
• "Working" means all DNS functions operate without fallbacks or timeouts
• Only IP Version 4 transport is required (not IPv6, IPsec, etc)
• Local routers and DNS systems are maintained and configured by local staff
• Remote routers and DNS systems are not under the control of local staff
• Local routers and DNS systems are patched and up to date
• Remote routers and DNS systems may be using old software and protocols

Glossary of terms used

udp/tcp 53

Used as Destination port for DNS queries, transfers and notification. Also source port for older DNS versions.

udp/tcp ephemeral (>1023)

Used as Source port for DNS queries, transfers and notification.

icmp/packet-to-big

Used for TCP Path MTU Discovery. Sent by any Gateway/Router if packet exceeds Maximum Transmission Unit size and Don't Fragement is specified

icmp/port-unreachable

Used to detect lame or failed DNS servers and quickly retry another server.

icmp/echo and icmp/echo-reply

Used for global load balancers to estimate the latency and return different DNS answers

RoutedIP

Any currently reachable unicast IP address on the network

UnicastIP

Any public or private routable unicast IP address

GatewayIP

IP address of the local gateway/router interfaces

InternalIP

Any internal IP address used by customers, employees, etc. May be the entire Internet for open recursive DNS servers

TransferIP

IP address of remote server which exchanges zone files with the DNS server

ServerIP

IP address of the local DNS server

StubIP

IP address of the DNS clients

Recursive (Caching, Resolving) Single Interface DNS server

See footnote about ephemeral ports or Should use Stateful Packet Inspection
This is the most likely configuration used by most DNS systems.

    Inbound    RoutedIP     udp/any                ServerIP    udp/53
    Inbound    RoutedIP     tcp/any                ServerIP    tcp/53
    Inbound    RoutedIP     udp/53                 ServerIP    udp/ephemeral (>1023)    timeout
    Inbound    RoutedIP     tcp/53                 ServerIP    tcp/ephemeral (>1023)    established
    Inbound    RoutedIP                            ServerIP    icmp/echo (8/0)          rate-limit
    Inbound    RoutedIP                            ServerIP    icmp/port-unreachable (3/3)
    Inbound    UnicastIP                           ServerIP    icmp/packet-to-big (3/4)

    Outbound   ServerIP     udp/53                 RoutedIP    udp/any
    Outbound   ServerIP     tcp/53                 RoutedIP    tcp/any
    Outbound   ServerIP     udp/ephemeral(>1023)   RoutedIP    udp/53
    Outbound   ServerIP     tcp/ephemeral(>1023)   RoutedIP    tcp/53
    Outbound   ServerIP                            RoutedIP    icmp/echo-reply (0/0)
    Outbound   ServerIP                            RoutedIP    icmp/port-unreachable (3/3)
    Outbound   GatewayIP                           RoutedIP    icmp/packet-to-big (3/4)

Recursive (Caching, Resolving) Split Interface DNS server

Client Answering Interface (Should use Stateless Packet Inspection)

    Inbound    InternalIP   udp/any                ServerIP    udp/53
    Inbound    InternalIP   tcp/any                ServerIP    tcp/53
    Inbound    UnicastIP                           ServerIP    icmp/packet-to-big (3/4)

    Outbound   ServerIP     udp/53                 InternalIP  udp/any
    Outbound   ServerIP     tcp/53                 InternalIP  tcp/any
    Outbound   ServerIP                            InternalIP  icmp/port-unreachable (3/3)
    Outbound   GatewayIP                           InternalIP  icmp/packet-to-big (3/4)

Query Sending Interface (See footnote about ephemeral ports or Should use Stateful Packet Inspection)

    Inbound    RoutedIP     udp/53                 ServerIP    udp/ephemeral (>1023)    timeout
    Inbound    RoutedIP     tcp/53                 ServerIP    tcp/ephemeral (>1023)    established
    Inbound    RoutedIP     udp/53                 ServerIP    udp/53 (older DNS)       timeout
    Inbound    RoutedIP     tcp/53                 ServerIP    tcp/53 (older DNS)       established
    Inbound    RoutedIP                            ServerIP    icmp/echo (8/0)          rate-limit
    Inbound    RoutedIP                            ServerIP    icmp/port-unreachable (3/3)
    Inbound    UnicastIP                           ServerIP    icmp/packet-to-big (3/4)

    Outbound   ServerIP     udp/ephemeral(>1023)   RoutedIP    udp/53
    Outbound   ServerIP     tcp/ephemeral(>1023)   RoutedIP    tcp/53
    Outbound   ServerIP     udp/53 (older DNS)     RoutedIP    udp/53
    Outbound   ServerIP     tcp/53 (older DNS)     RoutedIP    tcp/53
    Outbound   ServerIP                            RoutedIP    icmp/echo-reply (0/0)
    Outbound   GatewayIP                           RoutedIP    icmp/packet-to-big (3/4)

Non-recursive (Authoritative, Advertising) DNS server without notify or transfer

Should use Stateless Packet Inspection

    Inbound    RoutedIP     udp/any                ServerIP   udp/53
    Inbound    RoutedIP     tcp/any                ServerIP   tcp/53
    Inbound    UnicastIP                           ServerIP   icmp/packet-to-big (3/4)

    Outbound   ServerIP     udp/53                 RoutedIP   udp/any
    Outbound   ServerIP     tcp/53                 RoutedIP   tcp/any
    Outbound   ServerIP                            RoutedIP   icmp/port-unreachable (3/3)
    Outbound   GatewayIP                           RoutedIP   icmp/packet-to-big (3/4)

Non-recursive (Authoritative, Advertising) DNS server with notify or transfer

See footnote about ephemeral ports or Should use Stateful Packet Inspection

    Inbound    RoutedIP     udp/any                ServerIP   udp/53
    Inbound    RoutedIP     tcp/any                ServerIP   tcp/53
    Inbound    TransferIP   udp/53                 ServerIP   udp/ephemeral (>1023)     timeout
    Inbound    TransferIP   tcp/53                 ServerIP   tcp/ephemeral (>1023)     established
    Inbound    TransferIP                          ServerIP   icmp/port-unreachable (3/3)
    Inbound    UnicastIP                           ServerIP   icmp/packet-to-big (3/4)

    Outbound   ServerIP     udp/53                 RoutedIP   udp/any
    Outbound   ServerIP     tcp/53                 RoutedIP   tcp/any
    Outbound   ServerIP     udp/ephemeral(>1023)   TransferIP udp/53                    timeout
    Outbound   ServerIP     tcp/ephemeral(>1023)   TransferIP tcp/53                    established
    Outbound   ServerIP                            RoutedIP   icmp/port-unreachable (3/3)
    Outbound   GatewayIP                           RoutedIP   icmp/packet-to-big (3/4)

Stub Resolver (Forwarding) DNS client

See footnote about ephemeral ports or Should use Stateful Packet Inspection

    Inbound    ServerIP     udp/53                 StubIP      udp/ephemeral (>1023)    timeout
    Inbound    ServerIP     tcp/53                 StubIP      tcp/ephemeral (>1023)    established
    Inbound    ServerIP     udp/53                 StubIP      udp/53 (older DNS)       timeout
    Inbound    ServerIP     tcp/53                 StubIP      tcp/53 (older DNS)       established
    Inbound    ServerIP                            StubIP      icmp/port-unreachable (3/3)
    Inbound    UnicastIP                           StubIP      icmp/packet-to-big (3/4)

    Outbound   StubIP       udp/ephemeral(>1023)   ServerIP    udp/53
    Outbound   StubIP       tcp/ephemeral(>1023)   ServerIP    tcp/53
    Outbound   StubIP       udp/53 (older DNS)     ServerIP    udp/53
    Outbound   StubIP       tcp/53 (older DNS)     ServerIP    tcp/53
    Outbound   GatewayIP                           ServerIP    icmp/packet-to-big (3/4)

*Ephemeral ports: The default range on older systems was 1024-5000; however it is better change the ephemeral port range on the system to a high range e.g. 32768-65535 avoiding ports used by other applications running on the same server. Review your DNS software and operating system documentation for instructions how to change port ranges. DNS software which use pools of source ports increase the difficulty of blind DNS reply attacks.

Stateful Packet Inspection and system stacks must match packets across icmp, udp and tcp protocols to prevent blind protocol attacks.

*Broadcast/Multicast: Although some DNS RFCs reference the use of broadcast/multicast, no DNS servers I know reply to broadcast or multicast queries. A new protocol called mDNS (multicast DNS) uses TCP/UDP port 5353 and is separate from DNS.

Copyright © 2007 Sean Donelan