SELinux and Firewall Rules for DNS Server
For your clients to be able to query the DNS server, you need to open a single port on the firewall, but for both protocols. The DNS clients can use both TCP and UDP port 53.
Step 1. Use the iptables command to create your firewall rules:
# iptables -I INPUT 5 -p udp -m udp –dport 53 -j ACCEPT
# iptables -I INPUT 5 -p tcp -m tcp –dport 53 -j ACCEPT
Step 2. Save the rules you just created:
# service iptables save
Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
Step 3. Restart the firewall service for the changes to take effect:
# service iptables restart
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]
For the DNS server, there is only a single SELinux Boolean value that you can change.
named_write_master_zones Allows master zone files to be written
If you would like to have a dynamic DNS server or allow zone file transfers, you
need to disable this value; otherwise, you can leave the default protection as is.
For additional security, you can set SELinux to allow only the named system user to be able to read the /etc/named.conf file. This ensures additional security should you need it. To allow only the named user to be able to read the /etc/named.conf file, use the following command:
# chcon -t named_conf_t /etc/named.conf
Verify with this command:
# ls -Z /etc | grep named.conf