High traffic outbound UDP 53

Hello, i have a very high and anormally traffic outbound UDP in port 53, i see in my external pfsense many connections from my virtualmin server to many ip’s in UDP 53 outbound, i have a little web and mail server config in my virtualmin (aprox. ±30 domains) with bind server configured, i know that can i not close this port because my domains need dns to work, but i think if i close my bind only to parent dns server or something like that can i close this high traffic UDP that I’m suffering right now.

Please, any help to block my dns server or go out this traffic ???

Thanks !!!

Anybody know how can expose my bind dns server only to masters servers ???


We expose our master servers to our slaves, and the slaves then process public queries.

In order to restrict things in this manner, it’s as easy as setting up a firewall rule.

Inside the rule, simply specify:

Source address or network Equals 111.222.333.444

This is specified under the “Condition details” section.

*** you can establish a basic firewall by using the “Reset firewall” button on: “Virtualmin > Networking > Linux FIrewall” then adjust things from there. ***


When you have a DNS server responding to both queries from localhost, and to public queries, you pretty much have to configure Bind to use two different “views”. The internal view accepts connections only from localhost and other trusted clients; and allows recursion.

view “internal” {
match-clients {; };
recursion yes;
notify no;
allow-query { any; }; allow-transfer { any; };
zone “localhost” { type master; file “/etc/bind/db.local”; };
zone “127.in-addr.arpa” { type master; file “/etc/bind/db.127”; };
zone “0.in-addr.arpa” { type master; file “/etc/bind/db.0”; };
zone “255.in-addr.arpa” { type master; file “/etc/bind/db.255”; };
zone “10.in-addr.arpa” { type master; file “/etc/bind/db.10”; };

and the external view prohibits recursive responses to the public

view “external” {
match-clients { any;};
recursion no;
additional-from-auth yes; additional-from-cache no;
notify yes;
allow-query { any; };
allow-transfer { key xfers.;; };

You’ll get eaten alive if you permit public recursive queries.


The way we have it setup in our environment works something like:

web1.tpnservers.com does the hosting, and manages the “master zones”.

ns1.tpndns.com and ns2.tpndns.com are dedicated boxes setup specifically for serving the public and technically serve up “slave zones”.

To ensure the public is not attempting to poll “web1.tpnservers.com”, we use a set of firewall rules which only permit communication between our two “slave” machines and the “master”. Further, when we publish “nameservers” at the registrar, we publish the two “slave” machines therefore never exposing the “master”.

This setup has been flawlessly in place for over 3 years, and our “masters” have never been polled from the public given their firewalled state.

If you’d like to discuss this type of setup further, please feel free to contact me at: pknowles@tpnsolutions.com


I think this is the correct solution, but the server tells me my domains are not in any view, how can i put my zones in internal view ???

Thanks to all, i think too my problem it’s eaten alive because my server permit public queries.

Oh Shit !!!

I touch my dns config and now i have an error, please anybody know how change my recent config to working config ???

/etc/named.conf:8: expected IP address near ‘;’


Can you paste in the contents of lines 6 - 9 in your /etc/named.conf file?


options { directory "/etc"; pid-file "/var/run/named/named.pid"; notify yes; transfers-in 10; transfers-per-ns 10; transfers-out 10; transfer-source; };

zone “.” {
type hint;
file “/etc/db.cache”;

I think this it’s correct … ¿??

transfer-source requires an argument:
transfer-source (ip4_addr | *) [port ip_port] ;

Peter’s solution is very good if you have other hosts to serve the public queries. Notice that his domain’s NS records don’t even list the master :slight_smile:

With that setup, bind can be configured to reject all queries other than from the slaves (and probably is), but with the firewall protection the master doesn’t even receive queries to drop :slight_smile:

Also, you can probably get by without implementing different views.

First, just set ‘recursion no’ in the options section.

If the loss of recursion has a negative impact on your local operations, try adding

allow-recursion { address_match_list };

If that doesn’t work, you can set other recursive nameservers in your /etc/resolv.conf file (replacing