A guide on Network World tells users how to permit forwarding of both TCP and UDP port 53 packets. This is necessary because of the possible deployment of DNSSEC and the addition of IPv6 that will occur in the coming years. Included in the guide are sections on firewall commands and testing.
“DNS can be used by attackers as one of their reconnaissance techniques. Public information contained a target’s servers is valuable to an attacker and helps them focus their attacks. Attackers can use a variety of techniques to retrieve DNS information through queries. However, hackers often try to perform a zone transfer from your authoritative DNS servers to gain access to even more information. You can use the dig command to gather information from a server for a specific zone file. dig @192.168.11.24 example.org -t AXFRXXX”