How common is blocking tcp port 53 to prevent unauthorized zone transfers?
Jim Reid
jim at rfc1035.com
Thu Oct 26 21:52:02 UTC 2000
>>>>> "David" == David Hines <david.hines at intel.com> writes:
David> How commonly is this approach used to limit zone transfers,
I dunno. Even if it's common, it's wrong.
David> and should I worry about it with respect to
David> queries/responses greater than 512 bytes?
Given that rejecting TCP queries - which is what you'd be doing - is a
violation of the RFCs, I'd say you should worry about it. OTOH, the
chances are that you probably won't be truncating regular UDP replies
since DNS answers mostly fit into the usual 512 byte payload. However
blocking all TCP traffic to port 53 is simply the wrong thing to
do. Some applications will use TCP to query your server, especially
when they know they will be making lots of queries. Here's an extract
from the gethostent() man page: "The sethostent() function may be used
to request the use of a connected TCP socket for queries."
If you just want to block zone transfers - I don't see the point of
this myself - there are plenty of ways to do just that. For example,
you could use TSIG to only allow "trusted" hosts to transfer the
zone(s). Another possibility are allow-transfer clauses in named.conf
(with TSIG or just source IP address access control lists). Or if
you're really paranoid, implement split DNS so that the outside world
sees a different version of your name space from the one you use
internally. ie The outside world only gets to see and transfer what
you want them to see.
More information about the bind-users
mailing list