FAQ0203: How can DNS be implemented secure at the firewall rule level ?

With FireWall-1 v4.0, DNS queries and zone transfers were allowed at first by default. This was very dangerous for your DNS servers, because of getting faked. With v4.1 this changed, now these settings are disabled. Now arises the question how a secure implementation of DNS rules can be achieved.

The scenario above assumes that you have an internal DNS. All clients are pointing to the internal DNS server. If a query (UDP/53) cannot be resolved, the internal DNS is forwarding the query to the primary DNS in the DMZ. The primary DNS queries the Internet for the IP address.

The secondary is positioned at the ISP, this server is allowed to request a DNS zone transfer (TCP/53), no other server gets this rights.