You this rules only if you are protecting dedicated DNS server. SERVER_IP is IP address where BIND(named) is listing on port 53 for incoming DNS queries. Please note that here I’m not allowing TCP protocol as I don’t have secondary DNS server to do zone transfer.
SERVER_IP="202.54.10.20"
iptables -A INPUT -p udp -s 0/0 sport 1024:65535 -d $SERVER_IP dport 53 -m state state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -s $SERVER_IP sport 53 -d 0/0 dport 1024:65535 -m state state ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -s 0/0 sport 53 -d $SERVER_IP dport 53 -m state state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -s $SERVER_IP sport 53 -d 0/0 dport 53 -m state state ESTABLISHED -j ACCEPT
Please note if you have secondary server then add following rules to above rules so that secondary server can do zone transfer from primary DNS server:
DNS2_IP="202.54.10.2"
iptables -A INPUT -p tcp -s $DNS2_IP sport 1024:65535 -d $SERVER_IP dport 53 -m state state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $SERVER_IP sport 53 -d $DNS2_IP dport 1024:65535 -m state state ESTABLISHED -j ACCEPT