Rules for DNS relay
Traffic for DNS Relay is allowed by automatic rules by default. We recommend using automatic rules.
The automatic rules allow the following traffic for DNS relay:
| Automatic rule | Traffic allowed |
|---|---|
| Allow Traffic from Listening IP Addresses to DNS Relay Port | Traffic from the listening IP addresses of the firewall to port 53/TCP and port 53/UDP for DNS relay. |
| Allow Connections to Domain-Specific DNS Servers | Traffic from the firewall to domain-specific DNS Servers. If you want to send the DNS traffic through a policy-based VPN, you must disable this automatic rule. If you disable this automatic rule, you must add IPv4 or IPv6 Access rules to allow traffic from the firewall to the DNS servers. You must also add IPv4 or IPv6 NAT rules if you want to apply NAT or port translation to the DNS traffic. |
If you create Access or NAT rules to match specific DNS traffic, use one or more of the following elements:
- DNS Service Group — Matches both TCP and UDP traffic on port 53
- DNS (TCP) Service — Matches TCP traffic on port 53
- DNS (UDP) — Matches UDP traffic on port 53