In Iptables, Accept incoming UDP traffic to port 53 & reject everything in the port range for ephemeral ports.
The highest limit should not be too high otherwise, your server will be unable to resolve external domains (for instance when you do a "ping google.com") from inside your server. On a linux OS, 32768 is the first ephemeral port (aka dynamic ports) for sockets up to 61000. Thus, 32767 is the highest port for static allocated ports. This is only true if don't use your server as DNS resolver aka DNS cache aka server with an /etc/resolv.conf pointing to nameserver 127.0.0.1 or ::1
Here is a tcpdump example:
23:10:13.315832 IP b.b.b.b.34507 > a.a.a.a.53: 23674% [1au] A? whitehouse.gov. (38)
23:10:13.377619 IP a.a.a.a.53 > b.b.b.b.34507: 23674*- 1/2/3 A 172.230.122.69(122)
- b.b.b.b requests nameserver a.a.a.a from port 34507 to give A record for whitehouse.gov on port 53
- a.a.a.a from port 53 answers b.b.b.b to port 34507
Normally, to find your local dynamic (also called ephemeral or private) port ranges on your linux for UDP & TCP:
cat /proc/sys/net/ipv4/ip_local_port_range
However, it only works for server that don't host the DNS resolver (for instance, when you point your /etc/resolv.conf to 8.8.8.8).
Server is not a DNS resolver:
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 0:32767 -j DROP
server is a DNS resolver:
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 0:1023 -j DROP
This should be taken into account if you want to host your own DNS resolver, to resolve all domain names.
The best would be to check it yourself:
You can monitor sending ports using
tcpdump udp and port 53 and not dst host *yourserveripaddress*
then look at sending ports and try to find the lowest the number. This lowest number should not be lower than the port number xxxx in --dport 0:xxxx otherwise you block or slow down your DNS requests.