What ports need to be open for DNS to operate?
DNS uses both the TCP and UDP protocols. Lookups performed by clients primarily (but not exclusively) use UDP – when the response data exceeds 512 bytes, the UDP query will fail and the resolver will retry using TCP. Other DNS functions such as zone transfers use TCP exclusively. DNS servers need to be reachable on port 53 (“domain”) for both TCP and UDP from their clients (often, the whole internet); the standards do not prescribe a specific source port for DNS requests, so the source port is arbitrary.
Additonally, on systems that are running BIND9 as part of a zone that (as recommended) has multiple name servers, the servers need to be able to connect to each other on TCP port 953 (“rndc”) so they can push changes out to their peers rather than wait for them to refresh their cached information.
The common port/protocol information can be found in the /etc/services file.