tcp/udp, clarification please
Brad Knowles
brad.knowles at skynet.be
Thu Oct 11 20:37:27 UTC 2001
At 11:43 AM -0400 2001/10/11, Eoin Miller wrote:
> brad... the DNS servers can talk to each other using TCP no problem, *ONLY*
> the rest of the world is blocked from using anything other than UDP, the DNS
> servers can use TSIG no problem, TCP would ONLY INCOMING TCP requests would
> be blocked at the firewall, on the DMZ the TCP traffic would flow freely
> back and forth between NS1 and NS2.
But DNSSEC is something done between your servers and the
rest of the world, so blocking TCP still breaks that. An it probably
wouldn't be too much fun with IPv6 (which makes addresses much, much
longer), either.
However, as I previously pointed out, the real security issue
with DNS is from *UDP* packets, not *TCP*. Therefore, if you want to
make your nameserver truly secure, you will turn off all UDP packets
at your firewall to your nameserver.
Please make sure that you do this ASAP, so as to protect
yourself against cache poisoning, DoS, and other spoofing attacks.
BTW, I am now filing a complaint with RCN to get your account
terminated.
--
Brad Knowles, <brad.knowles at skynet.be>
H4sICIFgXzsCA2RtYS1zaWcAPVHLbsMwDDvXX0H0kkvbfxiwVw8FCmzAzqqj1F4dy7CdBfn7
Kc6wmyGRFEnvvxiWQoCvqI7RSWTcfGXQNqCUAnfIU+AT8OZ/GCNjRVlH0bKpguJkxiITZqes
MxwpSucyDJzXxQEUe/ihgXqJXUXwD9ajB6NHonLmNrUSK9nacHQnH097szO74xFXqtlbT3il
wMsBz5cnfCR5cEmci0Rj9u/jqBbPeES1I4PeFBXPUIT1XDSOuutFXylzrQvGyboWstCoQZyP
dxX4dLx0eauFe1x9puhoi0Ao1omEJo+BZ6XLVNaVpWiKekxN0VK2VMpmAy+Bk7ZV4SO+p1L/
uErNRS/qH2iFU+iNOtbcmVt9N16lfF7tLv9FXNj8AiyNcOi1AQAA
More information about the bind-users
mailing list