Acme-dns renews on random ports

How can I secure the server that is using acme-dns for renewing? Traffic comes in from to my acme server on random (5 digit) port. Should I open all ports from this IP?

How do you mean, "on a random port"? Could you please elaborate?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):


I don't know how much more I can elaborate on that.
Communication looks like this: > >

Same goes for or

Only if I open all ports from all directions, acme-dns actually works. From security standpoint it's not acceptable. In acme-dns documentation it says to just open port 53 and you're good. Not really.

1 Like

I doubt this is acme-dns traffic.

I think this is your ACME client talking to

In that case, the random source port makes sense, because that's how client→server connections always work.


If you are hosting acme-dns, open incoming port 53 for TCP and UDP to allow the DNS queries, open port 80 and 443 for the registration API (and to allow it to use http validation for it's own cert).


I agree with @_az here: that connection looks more like the received packages from an outgoing connection using HTTPS. The IP address is from Cloudflare, which indeed could be the ACME API. This is definitely not an incoming connection to your port 42140, as that would mean the originating port would be 443. And while technically possible it's highly unlikely.


Yeah the IP in question is from letsencrypt.

Thank you for your answer. This seems to work nicely!


I'm pretty sure acme-dns always uses DNS validation for its own cert--it certainly makes sense that it would, if it's the authoritative DNS server for its zone. And, of course, you can run the API on any port you want, though 80/443 would certainly be the defaults.


Good point, v0.8 onwards uses DNS validation by default. I don't know if you can still configure it to use http-01.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.