On Thu, 6 Jan 2000, Vanja Hrustic wrote:
> I've heard various comments on this, so I want to double-check it.
>
> Is it ok if only UDP/53 is left open, to serve DNS requests? As much as
> I have understood, I can safely close TCP/53. The server in question is
> a 'small' one (meaning: not so many requests per day, and only requests
> for www/dns/mail will probably come there anyway).
TCP is used for large answers and zone transfers. If you need to do
either, you'll need to allow the traffic - for instance AOL's servers
return rather large answer sets for www.aol.com (or at least used to.)
TCP can be set to only allow ACKed packets back in, so it's actually
"safer" than UDP, but of course UDP is ncessary.
> I have been looking at the traffic for past 24 hours, and as much as I
> can see, everything works fine (some requests come first to TCP/53, but
> they are resent after few secs to UDP/53). However, I might break
> something without knowing it :)
>
> Any advices?
Make sure that you don't allow queries on the nameserver if at all
possible unless you specificly need to allow access to a zone you're
hosting. Personally, I prefer an external "hardened" nameserver that
the internal server is allowed to talk to, that way external traffic
comes from a host I own and admin, not from anywhere on the Internet
(an alternative may be to allow it to/from the root servers or a
provider's server- I prefer roots to trusting anyone else's server to
answer correctly.) If you're running BIND, you want to
make sure you're on 8.2.2-P5, everything else seems to be in active
exploitation.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
