telnet to port 53
Lars-Johan Liman
liman at sunet.se
Tue Dec 14 19:32:32 UTC 1999
ddiamond at indigo.ie:
> I am using BIND 8.2.2 patchlevel 5 as a caching only server on
> FreeBSD 3.3-STABLE. In the interests of security I want to disable
> named running on TCP port 53. I only want UDP 53 open. As I have
> been told a golden rule in securing a box is to get rid of services
> that are not needed. I would prefer to be able to disable TCP port
> 53 using some startup option on BIND rather than filtering it out
> using a firewall.
> Is this possible?
I don't think so, and doing so has serious drawbacks.
The DNS protcol usually uses UDP (single packets), but if the data in
a DNS answer doesn't fit in a single packet, the client will be
informed about the fact (a certain flag in the answer packet called
"truncated"), and it will re-send the query using TCP, so that all
information can be transferred. If you cut out the TCP service, the
server will be unable to provide the full answer to such queries, and
the clients trying to obtain your DNS information in order to access
your services (web? mail? other?) will have a hard time doing so. I
would consider the service "needed" if you want DNS to function.
TCP queries will probably be more and more common as the DNS system
carries more and more information. It will be especially important when
the new security enhancements to the protocol are being introduced,
since they introduce large data chunks that need to be transferred
(e.g., signatures and keys).
I suggest that you leave it open.
Best regards,
/Liman
#----------------------------------------------------------------------
# Lars-Johan Liman, Systems Specialist ! E-mail: liman at sunet.se
# KTH Network Operations Centre ! HTTP : //www.sunet.se/~liman
# Royal Institute of Technology, Sweden ! Voice : Int +46 8 - 790 65 60
#----------------------------------------------------------------------
More information about the bind-users
mailing list