Good timing... On Fri, 26 Apr 2013, Cihan SUBASI (GARANTI TEKNOLOJI) wrote: > Also can someone explain why tcp53 should be allowed on the firewalls if dns > is behind a firewall? > > And why auditors do not like tcp53 open to public?
See, that's another of the arguments why DNS should *not* be behind "the firewall": topology issues. If your (recursive/caching) DNS server was outside the firewall, with appropriate access controls, then port 53 through the firewall needs only to be open with respect to the servers which you control. That's not to say that you wouldn't/shouldn't have appropriate traffic monitoring/etc. in place between the server and the rest of the internet. Agree/disagree, but there it is... -- Fred Morris _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
