6. Configuring Firewalls
Many units run their own firewalls. If you do, you need to be careful about how you configure them regarding DNS traffic. While many things will work with an incorrect configuration, it may give rise to errors in the output from dcdiag and netdiag that can make it harder to identify real problems; also clients and servers can have problems locating services. Problems may be masked because systems fall back on NetBIOS name resolution, but will then become visible if this fails or is disabled.
It is recommended that you do not lock your firewall settings for DNS traffic to and from your DNS servers down more than detailed below. The first two rows are the ones that we most often see configured incorrectly (or not allowed at all).
|Source Address||Source Port||Dest. Address||Dest. Port|
|DNS Caching Resolvers||Any||Your internal DNS Servers||TCP 53|
|DNS Caching Resolvers||Any||Your internal DNS Servers||UDP 53|
|Your internal DNS Servers||Any||Any||TCP 53|
|Your internal DNS Servers||Any||Any||UDP 53|