TCP is for zone transfers (master->slave), while UDP is used
for DNS queries and zone
notifications.
It is a good idea to let the other world query your DNS server,
so domain(s) for which you're authoritive be
resolved. It is a good idea to be a slave zone of the zone for reverse
resolving (unless you have delegation for it).
This way you can speed up your DNS.
Also you can assign domain names to the hosts in your private (as far
as I understood) network and to run a zone for reverse
resolving for that private nets, This way services that try to resolve
IPs will not wait for DNS to try to resolve these IPs.
In bind>8.2 it is possible to restrict incoming queries for each zone.
If you don't want to let others make zone transfers from you, you cat
add the permitted hosts either in the access list of the DNS
server or put a firewall that denies incoming TCP packets woth
SYN flag set.
Also check out http://www.isc.org/ and look for bind
Good luck
Vanja Hrustic wrote:
Small & silly problem.Intranet ==> DNS ==> Intenet
In this case, DNS is the machine that has assigned 'normal' IP address
(visible/accessible from Internet), and is used to resolve Internet
addresses for Intranet users.The question.
Is there any reason why DNS server should accept connections at port 53
(tcp or/and udp) from the 'outer' world? As much as I can understand, there
is no need. But... I ask, just to make sure :)Thanks.
Vanja
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-- --------------------------- Vesselin Mladenov NetBG Communications LTD. http://www.netbg.com mailto:[EMAIL PROTECTED] phone: +3592-9744260 phone: +3592-9744261 ---------------------------
