How do I configure my firewall for DNS?

The are two main categories of firewalls:

1) "Personal firewall" software filtering network traffic to and from the local computer

With this type of firewall running on the same computer as Simple DNS Plus, you typically only need to "allow" Internet access for the Simple DNS Plus application modules (.exe files).
Please see the reference articles below for Illustrations on how to configure popular software firewall products.

2) Hardware/Server firewalls filtering network traffic between the Internet and a local network

This type of firewall is often built into routers, and filters TCP/IP traffic by protocol (UDP, TCP, IGMP, etc.), to/from IP address, and to/from port number.

DNS mainly uses the UDP protocol - except for zone transfer which use TCP.

TCP/IP port numbers are often categorized as either "server ports" (1 to 1023), or "application ports" (>1023).
Most server programs listen for requests on a "server port", and client programs (applications) communicate with the server from a random "application port".

A DNS server listens for requests on port 53 (both UDP and TCP).
So all DNS requests are sent to port 53, usually from an application port (>1023).

You can specify which port Simple DNS Plus sends outgoing DNS requests from in the Options dialog / DNS / Outbound Requests section.

DNS responses are returned from port 53 back to the original from-port (>1023).
Many firewalls are by default configured to accept all traffic sent to application port numbers, so you may not need to worry about DNS responses.

So you have to allow all traffic (in and out) sent to port 53 (requests), and possibly all traffic (in and out) from port 53 to any application port (responses).
This could mean as many as 8 "firewall rules" (UDP/TCP, In/Out, To/From 53).

NOTE: Some older firewall firmware (such as Cisco PIX) will block all DNS packets with EDNS0 enabled.
If needed, you can disable EDNS0 in the Simple DNS Plus Options dialog / DNS / Miscellaneous section, but we highly recommend you get the firewall firmware updated instead.

NOTE: Some firewall products have special filters that block certain type DNS requests.
One example is the "NG" firewall software from "Check Point Software Technologies" which is also embedded in some hardware solutions.
This software has a "DNS verification / inspection" feature, which will block all but the most basic type DNS traffic.
It is necessary to disable this feature for certain DNS functions such as zone update notifications to secondary servers to work.


For more information, please see the following knowledge base articles:

KB Article Using Simple DNS Plus with the Windows Vista built-in firewall
KB Article Using Simple DNS Plus with the Windows XP SP2 built-in firewall
KB Article Using Simple DNS Plus with Comodo Firewall Pro
KB Article Using Simple DNS Plus with Outpost Firewall Pro
KB Article Using Simple DNS Plus with Norman Personal Firewall
KB Article Using Simple DNS Plus with Norton 360 / Internet Security
KB Article Using Simple DNS Plus with McAfee Internet Security Suite
KB Article Using Simple DNS Plus with OneCare firewall

Be the first to comment on this page:
(Never published. Used for replies and to show your Gravatar icon. Never used for any other purpose.)