6. Configuring Firewalls

Many units run their own firewalls. If you do, you need to be careful about how you configure them regarding DNS traffic. While many things will work with an incorrect configuration, it may give rise to errors in the output from dcdiag and netdiag that can make it harder to identify real problems; also clients and servers can have problems locating services. Problems may be masked because systems fall back on NetBIOS name resolution, but will then become visible if this fails or is disabled.

It is recommended that you do not lock your firewall settings for DNS traffic to and from your DNS servers down more than detailed below. The first two rows are the ones that we most often see configured incorrectly (or not allowed at all).

Source AddressSource PortDest. AddressDest. Port
DNS Caching Resolvers Any Your internal DNS Servers TCP 53
DNS Caching Resolvers Any Your internal DNS Servers UDP 53
Your internal DNS Servers Any Any TCP 53
Your internal DNS Servers Any Any UDP 53

Up: Contents Previous: 5. Multi-domain Environments Next: 7. Configuring Clients