At 23:03 06/01/2000 +0700, you wrote:
>I've heard various comments on this, so I want to double-check it.
>
>Is it ok if only UDP/53 is left open, to serve DNS requests? As much as
>I have understood, I can safely close TCP/53. The server in question is
>a 'small' one (meaning: not so many requests per day, and only requests
>for www/dns/mail will probably come there anyway).
>
>I have been looking at the traffic for past 24 hours, and as much as I
>can see, everything works fine (some requests come first to TCP/53, but
>they are resent after few secs to UDP/53). However, I might break
>something without knowing it :)
You'll break DNS zone transfers, which means you can't have a secundary
DNS server outside our network (and all networks should have an external
secundary DNS server).
If you don't have an external secundary DNS and your DNS server does not
supply a large number of IPs for a specific name, than it is ok to allow
only 53/UDP.
Regards,
Rodrigo Ormonde
--
Rodrigo de La Rocque Ormonde
e-mail: [EMAIL PROTECTED]
Aker Security Solutions - http://www.aker.com.br
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
