[EMAIL PROTECTED] wrote: > TRall wrote: >> Second, for dns to work correctly you also need to allow tcp. Perhaps you've >> done that elsewhere, but I'll show it below. > >Many agree that the best practice is to allow tcp only among the fellow NSs >for your zones, since DNS typically uses tcp only for zone transfers. Many are then wrong. You're correct that tcp is used for zone transfers (which is of no concern to normal dns queries), but you're wrong about tcp not being used for dns queries. It's somewhat unusual where it comes into play, but I've had access broken when tcp was blocked by the router. Tcp is needed when the response from the nameserver is more than fits in one 512 byte udp packet. The resolver gets a truncated response; then it must do a query using tcp. Here's an example of where you would have a problem if you didn't allow tcp. Using nslookup and the "novc" (no virtual circuit, meaning it must use udp) option (which is actually the default), we get: nslookup -qt=mx -novc aol.com. aol.com preference = 15, mail exchanger = yh.mx.aol.com aol.com preference = 15, mail exchanger = za.mx.aol.com aol.com preference = 15, mail exchanger = zb.mx.aol.com aol.com preference = 15, mail exchanger = zc.mx.aol.com aol.com preference = 15, mail exchanger = zd.mx.aol.com aol.com preference = 15, mail exchanger = yb.mx.aol.com aol.com preference = 15, mail exchanger = yc.mx.aol.com aol.com preference = 15, mail exchanger = yd.mx.aol.com aol.com preference = 15, mail exchanger = yg.mx.aol.com aol.com nameserver = DNS-01.NS.aol.com aol.com nameserver = DNS-02.NS.aol.com yh.mx.aol.com internet address = 205.188.157.1 yh.mx.aol.com internet address = 205.188.157.2 yh.mx.aol.com internet address = 205.188.157.3 yh.mx.aol.com internet address = 205.188.157.4 yh.mx.aol.com internet address = 205.188.157.5 za.mx.aol.com internet address = 198.81.16.4 za.mx.aol.com internet address = 198.81.16.5 za.mx.aol.com internet address = 198.81.16.1 za.mx.aol.com internet address = 198.81.16.2 za.mx.aol.com internet address = 198.81.16.3 zb.mx.aol.com internet address = 198.81.16.36 zb.mx.aol.com internet address = 198.81.16.37 zb.mx.aol.com internet address = 198.81.16.33 zb.mx.aol.com internet address = 198.81.16.34 zb.mx.aol.com internet address = 198.81.16.35 DNS-01.NS.aol.com internet address = 198.81.17.232 Then doing it again, this time with "vc" (virtual circuit - use tcp): nslookup -qt=mx -vc aol.com. aol.com preference = 15, mail exchanger = zd.mx.aol.com aol.com preference = 15, mail exchanger = yb.mx.aol.com aol.com preference = 15, mail exchanger = yc.mx.aol.com aol.com preference = 15, mail exchanger = yd.mx.aol.com aol.com preference = 15, mail exchanger = yg.mx.aol.com aol.com preference = 15, mail exchanger = yh.mx.aol.com aol.com preference = 15, mail exchanger = za.mx.aol.com aol.com preference = 15, mail exchanger = zb.mx.aol.com aol.com preference = 15, mail exchanger = zc.mx.aol.com aol.com nameserver = DNS-02.NS.aol.com aol.com nameserver = DNS-01.NS.aol.com zd.mx.aol.com internet address = 198.81.16.99 zd.mx.aol.com internet address = 198.81.16.100 zd.mx.aol.com internet address = 198.81.16.101 zd.mx.aol.com internet address = 198.81.16.97 zd.mx.aol.com internet address = 198.81.16.98 yb.mx.aol.com internet address = 205.188.156.100 yb.mx.aol.com internet address = 205.188.156.101 yb.mx.aol.com internet address = 205.188.156.97 yb.mx.aol.com internet address = 205.188.156.98 yb.mx.aol.com internet address = 205.188.156.99 yc.mx.aol.com internet address = 205.188.156.131 yc.mx.aol.com internet address = 205.188.156.132 yc.mx.aol.com internet address = 205.188.156.133 yc.mx.aol.com internet address = 205.188.156.129 yc.mx.aol.com internet address = 205.188.156.130 yd.mx.aol.com internet address = 205.188.156.164 yd.mx.aol.com internet address = 205.188.156.165 yd.mx.aol.com internet address = 205.188.156.161 yd.mx.aol.com internet address = 205.188.156.162 yd.mx.aol.com internet address = 205.188.156.163 yg.mx.aol.com internet address = 205.188.156.225 yg.mx.aol.com internet address = 205.188.156.226 yg.mx.aol.com internet address = 205.188.156.227 yg.mx.aol.com internet address = 205.188.156.228 yg.mx.aol.com internet address = 205.188.156.229 yh.mx.aol.com internet address = 205.188.157.5 yh.mx.aol.com internet address = 205.188.157.1 yh.mx.aol.com internet address = 205.188.157.2 yh.mx.aol.com internet address = 205.188.157.3 yh.mx.aol.com internet address = 205.188.157.4 za.mx.aol.com internet address = 198.81.16.2 za.mx.aol.com internet address = 198.81.16.3 za.mx.aol.com internet address = 198.81.16.4 za.mx.aol.com internet address = 198.81.16.5 za.mx.aol.com internet address = 198.81.16.1 zb.mx.aol.com internet address = 198.81.16.36 zb.mx.aol.com internet address = 198.81.16.37 zb.mx.aol.com internet address = 198.81.16.33 zb.mx.aol.com internet address = 198.81.16.34 zb.mx.aol.com internet address = 198.81.16.35 zc.mx.aol.com internet address = 198.81.16.69 zc.mx.aol.com internet address = 198.81.16.68 zc.mx.aol.com internet address = 198.81.16.67 zc.mx.aol.com internet address = 198.81.16.66 zc.mx.aol.com internet address = 198.81.16.65 DNS-02.NS.aol.com internet address = 205.188.157.232 DNS-01.NS.aol.com internet address = 198.81.17.232 In the udp case, you get 15 aol mail server addresses. In the tcp case, you get 45. Will it break anything if all your resolver gets is the first answer? Quite possible. It depends on how upset the resolver is when his tcp requests all fail. >> access-list 121 permit udp any any eq domain >> access-list 121 permit udp any any range 1024 5999 >> access-list 121 permit tcp any any established >> access-list 121 deny any any log > >The second address in the first statement can receive but not >send dns queries. Not sure what the intent of the next >two are WRT dns. You're right - I didn't show an access list for the other direction. As others have pointed out, the first statement should be: access-list 121 permit udp any eq domain any and the second statement can be removed. Note that this completely opens you up to udp, as long as the source port is 53. To do better, you need to be stateful (which I think may be possible in some Cisco packages). The third statement is for the tcp path (and it can be tightened), if you chose to support it. Anyway, the updated list to support outbound dns queries is (on the inbound Internet interface of your router): access-list 121 permit udp any eq domain any access-list 121 permit tcp any eq domain any established access-list 121 deny any any log Tony Rall - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
