DNS and firewall
Barry Margolin
barmar at bbnplanet.com
Fri Dec 17 21:19:03 UTC 1999
In article <385A9D1A.7138E51F at edgix.com>,
Bob Kryger <bkryger at edgix.com> wrote:
>Question: It seems that DNS zone transfers are done via port 53 as well
>as resolutions. Is this true?
Yes. Normal queries usually use UDP, although TCP is also allowed and may
be necessary if the response is large. Zone transfers always use TCP.
>If this is true then I must rely on the BIND mechanisms for 'securing'
>zone transfers to specifically allowed systems, and cannot get fancy
>with the firewall configurations.
That's what I recommend. You could also realize that there's not really
much security gained by prohibiting zone transfers in the first place
(there was a discussion of this in comp.security.unix this week).
--
Barry Margolin, barmar at bbnplanet.com
GTE Internetworking, Powered by BBN, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.
More information about the bind-users
mailing list