> > Maybe I'm ignorant -- a very plausible case -- but opening port
> > 53 to anyone from anywhere might expose one to DoS exploits.
>
>How can you use DNS and not open port 53?
The key is incoming vs. outgoing traffic.
You are correct that the IMail server *must* be able to send outgoing DNS
packets, and receive the responses. Otherwise, it can't send mail (even if
the DNS server is on the IMail server, it still has to reach the root servers).
However, unless the IMail server also has a DNS server running on it that
needs to be accessed by the "outside world" (if it is one of the DNS
servers listed at root by Network Solutions or whichever company handles
your domain(s)), it does not have any need to receive packets on the DNS
port. When IMail sends out DNS requests, they are sent to port 53 on the
remote DNS server, but they come back on a different port (one greater than
1024, that is just used temporarily).
So, the firewall can be set to block *incoming* DNS traffic, but IMail's
outgoing DNS packets (and the responses it receives) will be able to pass
through the firewall. From a security standpoint, this is considered
acceptable because the only traffic that results is traffic requested from
the internal computer. This doesn't mean that damage can't be done, though
(with an older DNS server, you could receive bogus packets; for example,
looking up a record at "evilhacker.com" could return an A record for
www.microsoft.com that points to them). But, that's a risk that must be
taken (without enabling outgoing DNS packets, mail can't be sent out).
-Scott
---
Declude: Anti-virus, Anti-spam and Anti-hijacking solutions for
IMail. http://www.declude.com
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
