> I'm having some trouble with DNS queries making it through the filters...if > I allow connections out to use udp port 53, that should allow clients inside > the firewall to query external dns servers for information, correct? Do I > need to open any other ports? (Of course, I have "related, established" > open, so I assume the DNS server response will work properly). Am I missing > somthing? If a dns query via udp fails (or it has over 512 bytes, and the Trunacated bit set), the resolver is obligated to commit the query via tcp. In order to have dns queries working with external DNS servers, the clients must be able to send tcp and udp with dport 53 to the servers, and the replies must get back, e.g. using the state mechanism. If you have a DNS server in your network and want to allow dns queries to your server you need to allow both tcp and udp with dport 53 to your DNS. Also, TCP is used for zone transfers. If you fail to solve your problem, try tcpdumping the traffic on the firewall, you will know what is being send, what is being block. Regards, Maciej Soltysiak
