![](https://seccdn.libravatar.org/avatar/a55630c5cb464f1ea0bb775a573102e9.jpg?s=120&d=mm&r=g)
13 Oct
2000
13 Oct
'00
08:16
In response to MaD dUCK's ipchains rules to allow DNS traffic to your forwarders: Note that more often than not, DNS queries are performed with UDP and not TCP. You will want to allow UDP packets to port 53 on your forwarders outbound and 'response' packets back in. Probably the safest and most efficient way to provide DNS is to run a server (the most recent BIND 8 or Bernstein's DNS tools) on the gateway machine, configured to cache only and to query from a specific port. That way you don't have to open up a large range of UDP and TCP ports to a large number of hosts. And you get the added benefit of DNS caching. Beware of BIND vulnerabilities, though, you need to keep up to date with those and upgrade appropriately. HTH Tobias