Thanks. What ports are required for DNS? I saw what appeared to be a random selection of ports being used ranging from the 8000s all the way up to the 46000s.

when you refer to something its best to include a URL where you saw that.

standard port is 53 typically UDP for standard query but can also be TCP for Zone transfers, large queries.

other than the one mentioned above like

UDP 5246 for AP-WLC control messages

UDP 5247 for AP-WLC data messages

UDP 1700 for change of authorization

UDP 1812 for authentication and authorization

UDP 1813 for accounting

you can use https,tftp,ntp, sftp, ldap(389), ldap secure (636). 

This was not something I read online. I pulled a report from ThreatLocker which showed DNS replies being sent to a whole bunch of different ports on the WLC. I know port 53 is the port that a DNS query is sent to on a DC, but the DNS replies went to a whole bunch of different ports on the WLC. I was not sure if there was a standard range of ports on the WLC that received DNS replies.

@jmorton1 The WLC specific ports and protocols are listed in the release notes.
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-18/release-notes/rn-17-18-9800.html#Networkprotocolsandportmatrix

> I pulled a report from ThreatLocker which showed DNS replies being sent to a whole bunch of different ports on the WLC.
I think you might be misunderstanding how IP protocols work.  UDP 53 is the DNS server port - the destination port for DNS query packets.  The source port can be any high port (often used to be referred to as ephemeral ports) so the DNS reply from the server will have that high port as its destination (with source port being 53 in that case).

Example:
DNS query: UDP 49152 -> UDP 53
DNS reply: UDP 53 -> UDP 49152
Next DNS query: UDP 49153 -> UDP 53
with DNS reply: UDP 53 -> UDP 49153
Each DNS query will use a new source port, which has no specific meaning, so no point in even looking at that, it simply identifies that particular flow.

I am aware that ports 49152-65535 are typically used to receive DNS replies on an endpoint, but I was seeing DNS traffic from the server hit the WLC on port numbers in the 8000s range, so that is why I originally posted this.

Historically anything >1024 was used.  Some OS or apps may still use the lower ports.  Sometimes you can configure what should be used.  The point is the server is just replying to the port the request was sent from.  It's the client that determines the choice of source port.  Some NAT routers may also PAT to lower ports.  Unless you control the clients that traffic comes from, there's nothing you can do about it.

NOW it so clear 
this hit how you see it ?

MHM

I think dns use 53 port 

Also you need many other ports like snmp abd ssh/telnet http/https ...etc.

So open port one by one depend on what you need to run

MHM