Eessa,
#Could any one of you please tell me when the DNS Zone transfers
(tcp/53)take
#place. I am administrating an ALG firewall and have defined rules for DNS
#Requests (UDP/53), but no rules are defined for DNS Zone (tcp/53), yet the
#firewall is working fine. All the names are being resolved accordingly.
#Under what circumstances, do I have to define DNS Zone rules. Who makes
#these DNS Zone requests, I know it has to be DNS to DNS, but can a machine
#other than DNS server make these requests.
#Thanks in advance for your time and efforts.
TCP Port 53 is used by DNS for DNS zone transfers and DNS queries over
512(?) bytes. So if there is an extremely long host name in a requested
PTR record TCP may be used. Unless you have an ISP acting as your primary
or secondary DNS server then you do not need to allow zone transfers. You
should also use xfernets (BIND 4) or allow-transfer (BIND 8) to limit who
can do a zone transfer. Depending on how you set up your DNS servers or
what version of BIND you use all zone transfers may be initiated by your
secondary DNS server or (in BIND 8) your primary DNS server may alert the
secondary that a record has changed. The most common tool used to get a
zone transfer is nslookup. Get the nslookup tool set the server to be
queries using 'server 10.1.1.1' and then do a 'ls -d domain.com'.
Regards,
Jeffery Gieser
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
