---
title: Inbound DNS access should be restricted
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > Inbound DNS access should be restricted
---

# Inbound DNS access should be restricted
 
## Description{% #description %}

Reduce the possibility of a breach by checking EC2 security groups for inbound rules that allow unfettered access to TCP and UDP port 53, commonly used during DNS resolution when a request is sent from DNS clients to DNS servers or between DNS servers.

## Rationale{% #rationale %}

Malicious activity, such as distributed denial-of-service (DDoS) attacks, can occur when permitting unfettered DNS access.

## Remediation{% #remediation %}

## Console{% #console %}

Follow the [Security group rules](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules) docs to learn how to add a security group rule that will restrict access to a specific port.

## CLI{% #cli %}

1. Run `describe-security-groups` with a filter to [expose security groups](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/describe-clusters.html) that allow access to port 53.

In the `describe-security-groups.sh` file:

   ```bash
       aws ec2 revoke-security-group-egress
           --group-id your-group-id
           --ip-permissions '[{"IpProtocol": "tcp", "FromPort": 53, "ToPort": 53, "IpRanges": [{"CidrIp": "192.0.2.0/24"}]}]'
       
```