Hi @Mark_Gregory !
There are two approaches in security:
1. Allow specific traffic and block all the rest. We can call it 'whitelisting'. This requires specific 'permit' ACL rules and general 'deny any' at the end of the ACL.
2. Block specific traffic and permit all the rest. So called 'blacklisting'. This requires specific 'deny' ACL rules and general 'permit any' at the end of the ACL.
Now to the DNS - when a DNS client sends a request to server, it uses UDP (or TCP) protocol, destination port is always 53, source port is normally an ephemeral port, the range varies depending on the OS used, but the safe choice is all ports greater than 1023. When DNS server gets this request, it replies back using same transport protocol (UDP or TCP), source port of the reply message will be 53 and destination port will be the same ephemeral port used in the request.
Having all these details in mind now we see that:
To explicitly match incoming DNS replies you need an ACL rule with source IP of the DNS server/-s and source TCP and UDP port 53 and destination port greater than 1023.
To explicitly match incoming DNS requests you need an ACL rule matching 'any' source IP and destination TCP and UDP port 53. Because DNS servers listen on port 53. Source port does not matter here, so we match all of them.
Substitute word 'match' with either 'permit' or 'deny' according to your security model. If you use 'whitelisting', it will be 'permit', if 'blacklisting' is used instead, then it will be 'deny',
Pay attention that you need to block or allow BOTH transport protocols - TCP and UDP. DNS has always been designed to use both UDP and TCP port 53 with UDP being the default, and fall back to using TCP when it is unable to communicate on UDP, typically when the packet size is too large to push through in a single UDP packet.
Hope this helps!