DNS TCP is used for sending long DNS information as well as zone transfers. If you
block 53/TCP you will prevent your users from properly getting to sites that do a lot
of virtual hosting since the reverse lookups for IP address often have hundreds of
FQDNs for the virtual hosts and most firewalls use reverse lookups to include domain
names in logs.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Ron Ryan
Sent: Friday, February 09, 2001 14:30
To: [EMAIL PROTECTED]
Subject: Re: dns security
> First I would filter all ports on the DNS server and only open those
> necessary. These might include udp/tcp 53 to the world and ssh from select
> internal hosts. Verify you are always running the latest version of BIND
> (probably in the 9.x series) or possibly you have switched over to a
> better solution (djbdns)[1].
I wouldn't recommend allowing tcp 53 unless you absolutely have to and then
only with a trusted DNS server. TCP is normally used for zone transfers and
you don't want to give away that information.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
