-----Original Message----- From: <Dobbins>, Roland <[email protected]> Date: Friday, April 26, 2013 8:33 AM To: "[email protected] List" <[email protected]> Subject: Re: [dns-operations] DNS Issue
> >On Apr 26, 2013, at 7:24 PM, Cihan SUBASI (GARANTI TEKNOLOJI) wrote: > >> Also can someone explain why tcp53 should be allowed on the firewalls >>if dns is behind a firewall? > >Truncate mode. > >> And why auditors do not like tcp53 open to public? > >'Security' misinformation spread by firewall vendors since the late 1990s. Particularly sad since, even in a least-privilege world (which I think we could all agree to), 53/tcp is simply RFC/protocol-compliance not unnecessary access as many have pointed out. Also ironic, in that 53/udp actually causes more damage (amplification, etc) these days than 53/tcp ever has. I've had 53/udp and 53/tcp open on every DNS server I've managed for over a decade, and never had a problem justifying it on audits. Sure it might be a finding, but it can be easily explained. If that's not the case, find another auditor. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
