Vanja wrote:
> Is it ok if only UDP/53 is left open, to serve DNS requests? As much as
> I have understood, I can safely close TCP/53. The server in question is
> a 'small' one (meaning: not so many requests per day, and only requests
> for www/dns/mail will probably come there anyway).
>
> I have been looking at the traffic for past 24 hours, and as much as I
> can see, everything works fine (some requests come first to TCP/53, but
> they are resent after few secs to UDP/53). However, I might break
> something without knowing it :)
53/tcp is used in the following cases:
1. For zone transfers. It is required for this. If you don't do zone
transfers through your firewall, you don't need it for this reason.
2. To obtain responses that won't fit in a udp (512 byte) packet. For
this, you may need to allow tcp, depending on the length of the answers
that you need to get and supply through the firewall.
Most resolvers and other nameservers, when querying your server, will first
try 53/udp. Only if that yeilds a truncated response will they then switch
to tcp. Likewise, your server, if it's used to resolve queries on the
Internet for your internal machines, will want to use tcp in similar
circumstances.
Example, using nslookup to querying the MX (mail) record for aol.com, which
I know requires a long answer. Nslookup by default uses udp (and doesn't
tell you if the answer has been truncated unless you use debug mode!). In
the second test, I use the "-vc" (virtual circuit) option of nslookup -
that tells it to use tcp. Compare the difference in the answers.
>nslookup -qt=mx aol.com.
Server: localhost
Address: 127.0.0.1
Non-authoritative answer:
aol.com preference = 15, mail exchanger = za.mx.aol.com
aol.com preference = 15, mail exchanger = zb.mx.aol.com
aol.com preference = 15, mail exchanger = zc.mx.aol.com
aol.com preference = 15, mail exchanger = zd.mx.aol.com
aol.com preference = 15, mail exchanger = yb.mx.aol.com
aol.com preference = 15, mail exchanger = yc.mx.aol.com
aol.com preference = 15, mail exchanger = yd.mx.aol.com
aol.com preference = 15, mail exchanger = yg.mx.aol.com
aol.com preference = 15, mail exchanger = yh.mx.aol.com
Authoritative answers can be found from:
aol.com nameserver = DNS-02.NS.aol.com
aol.com nameserver = DNS-01.NS.aol.com
za.mx.aol.com internet address = 152.163.224.5
za.mx.aol.com internet address = 152.163.224.1
za.mx.aol.com internet address = 152.163.224.2
za.mx.aol.com internet address = 152.163.224.3
za.mx.aol.com internet address = 152.163.224.4
zb.mx.aol.com internet address = 152.163.224.34
zb.mx.aol.com internet address = 152.163.224.35
zb.mx.aol.com internet address = 152.163.224.36
zb.mx.aol.com internet address = 152.163.224.37
zb.mx.aol.com internet address = 152.163.224.33
zc.mx.aol.com internet address = 152.163.224.66
zc.mx.aol.com internet address = 152.163.224.65
zc.mx.aol.com internet address = 152.163.224.69
zc.mx.aol.com internet address = 152.163.224.68
zc.mx.aol.com internet address = 152.163.224.67
DNS-02.NS.aol.com internet address = 205.188.157.232
And now do it again using tcp:
>nslookup -qt=mx -vc aol.com.
Server: localhost
Address: 127.0.0.1
Non-authoritative answer:
aol.com preference = 15, mail exchanger = zb.mx.aol.com
aol.com preference = 15, mail exchanger = zc.mx.aol.com
aol.com preference = 15, mail exchanger = zd.mx.aol.com
aol.com preference = 15, mail exchanger = yb.mx.aol.com
aol.com preference = 15, mail exchanger = yc.mx.aol.com
aol.com preference = 15, mail exchanger = yd.mx.aol.com
aol.com preference = 15, mail exchanger = yg.mx.aol.com
aol.com preference = 15, mail exchanger = yh.mx.aol.com
aol.com preference = 15, mail exchanger = za.mx.aol.com
Authoritative answers can be found from:
aol.com nameserver = DNS-02.NS.aol.com
aol.com nameserver = DNS-01.NS.aol.com
zb.mx.aol.com internet address = 152.163.224.34
zb.mx.aol.com internet address = 152.163.224.35
zb.mx.aol.com internet address = 152.163.224.36
zb.mx.aol.com internet address = 152.163.224.37
zb.mx.aol.com internet address = 152.163.224.33
zc.mx.aol.com internet address = 152.163.224.66
zc.mx.aol.com internet address = 152.163.224.65
zc.mx.aol.com internet address = 152.163.224.69
zc.mx.aol.com internet address = 152.163.224.68
zc.mx.aol.com internet address = 152.163.224.67
zd.mx.aol.com internet address = 152.163.224.98
zd.mx.aol.com internet address = 152.163.224.99
zd.mx.aol.com internet address = 152.163.224.100
zd.mx.aol.com internet address = 152.163.224.101
zd.mx.aol.com internet address = 152.163.224.97
yb.mx.aol.com internet address = 205.188.156.99
yb.mx.aol.com internet address = 205.188.156.100
yb.mx.aol.com internet address = 205.188.156.101
yb.mx.aol.com internet address = 205.188.156.97
yb.mx.aol.com internet address = 205.188.156.98
yc.mx.aol.com internet address = 205.188.156.130
yc.mx.aol.com internet address = 205.188.156.131
yc.mx.aol.com internet address = 205.188.156.132
yc.mx.aol.com internet address = 205.188.156.133
yc.mx.aol.com internet address = 205.188.156.129
yd.mx.aol.com internet address = 205.188.156.164
yd.mx.aol.com internet address = 205.188.156.165
yd.mx.aol.com internet address = 205.188.156.161
yd.mx.aol.com internet address = 205.188.156.162
yd.mx.aol.com internet address = 205.188.156.163
yg.mx.aol.com internet address = 205.188.156.225
yg.mx.aol.com internet address = 205.188.156.226
yg.mx.aol.com internet address = 205.188.156.227
yg.mx.aol.com internet address = 205.188.156.228
yg.mx.aol.com internet address = 205.188.156.229
yh.mx.aol.com internet address = 205.188.157.3
yh.mx.aol.com internet address = 205.188.157.4
yh.mx.aol.com internet address = 205.188.157.5
yh.mx.aol.com internet address = 205.188.157.1
yh.mx.aol.com internet address = 205.188.157.2
za.mx.aol.com internet address = 152.163.224.5
za.mx.aol.com internet address = 152.163.224.1
za.mx.aol.com internet address = 152.163.224.2
za.mx.aol.com internet address = 152.163.224.3
za.mx.aol.com internet address = 152.163.224.4
DNS-02.NS.aol.com internet address = 205.188.157.232
DNS-01.NS.aol.com internet address = 152.163.159.232
Tony Rall
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
