On Wed, 17 Jan 2001, Dan Horth wrote:
> Is there any reason why I shouldn't be just opening up all traffic
> destined to port 53 on our DNS server?
1. Older nameservers sourced their own queries on port 53. I've sometimes
set up nameservers to do this specificly to normalize packet filtering
rulebases, and I'd expect that others might too.
2. For untrusted clients, the originating port has zero significance. If
you want people to reach you, then you should allow the traffic.
3. I'd *really* recommend moving to DNS Cache if you're running BIND for
your nameserver.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
