On 2001.07.01, Tim Haynes <[EMAIL PROTECTED]> wrote: > If it's Bind security you're worried about, btw, can you not firewall out > 53/tcp altogether as well?
No. IIRC, 53/tcp is also used for DNS queries (not just XFER's) when the size is larger than the RFC specifies for the UDP-based payload. Or, some such type of edge-case of the DNS spec. Could you filter out 53/tcp and "not really notice"? Sure. Could there be times you try to resolve something (or, rather, someone tries to resolve against your DNS server) and it fail for some reason? Quite possibly. Just my two cents. I current run two copies of BIND9 on my DNS server -- one copy for the Internet/DMZ and one for my intranet, so that I only expose DNS for the hosts I want to advertise on the 'net, but have full/complete DNS for all of my intranet hosts only visible from behind the firewall. And, both BIND9 instances run in a chroot jail. Works quite well for me. I've been running like this since BIND 4.9.6 ... - Dossy -- Dossy Shiobara mail: [EMAIL PROTECTED] Panoptic Computer Network web: http://www.panoptic.com/
