> -----Original Message-----
> From: Dan Horth [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, 17 January 2001 3:56
> To: [EMAIL PROTECTED]
> Subject: Blocking Port 53 for range 1:1023
>
>
> Hiya - I have our firewall set up to only allow traffic to port 53 on
> our DNS server when it originates from ports 1024 and higher as per
> advice I read while oringinally setting up our firewall.
Hm. Possibly not the best advice. There is no reason why you should trust
external high ports any more than external low ports - should be the
opposite, in theory.
> I've been
> noticing reasonably frequent occurences of packets coming in in the
> 1:1023 range, and being denied.
Yeah, DNS server-to-server queries often use 53 as the source. AFAIK the
jury's still out as to whether this is legal / correct.
> Is there any reason why I shouldn't be just opening up all traffic
> destined to port 53 on our DNS server?
Not that I can think of... If your DNS server is also a DNS forwarder for
your local network then you should really allow TCP and UDP. This is because
very large DNS replies get sent with TCP. If you want to block zone
transfers, though, you should be careful with incoming 53/TCP.
> Thanks in advance, Dan.
> --
>
> Telezygology / Nitro
> 3D Visualisation, Graphics & Animation
> Ph (+61 2) 9810 5177 Fx (+61 2) 9810 0199
> http://www.nitro.com.au/
> PGP Public Key: http://www.nitro.com.au/Dan_Horth.pgp.key
Cheers,
--
Ben Nagy
Marconi Services
Network Integration Specialist
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
