DNS and firewall

Barry Margolin barmar at bbnplanet.com
Fri Dec 17 21:19:03 UTC 1999


In article <385A9D1A.7138E51F at edgix.com>,
Bob Kryger  <bkryger at edgix.com> wrote:
>Question: It seems that DNS zone transfers are done via port 53 as well
>as resolutions. Is this true?

Yes.  Normal queries usually use UDP, although TCP is also allowed and may
be necessary if the response is large.  Zone transfers always use TCP.

>If this is true then I must rely on the BIND mechanisms for 'securing'
>zone transfers to specifically allowed systems, and cannot get fancy
>with the firewall configurations.

That's what I recommend.  You could also realize that there's not really
much security gained by prohibiting zone transfers in the first place
(there was a discussion of this in comp.security.unix this week).

-- 
Barry Margolin, barmar at bbnplanet.com
GTE Internetworking, Powered by BBN, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.


More information about the bind-users mailing list