tcp/udp, clarification please
brad.knowles at skynet.be
Thu Oct 11 20:37:27 UTC 2001
At 11:43 AM -0400 2001/10/11, Eoin Miller wrote:
> brad... the DNS servers can talk to each other using TCP no problem, *ONLY*
> the rest of the world is blocked from using anything other than UDP, the DNS
> servers can use TSIG no problem, TCP would ONLY INCOMING TCP requests would
> be blocked at the firewall, on the DMZ the TCP traffic would flow freely
> back and forth between NS1 and NS2.
But DNSSEC is something done between your servers and the
rest of the world, so blocking TCP still breaks that. An it probably
wouldn't be too much fun with IPv6 (which makes addresses much, much
However, as I previously pointed out, the real security issue
with DNS is from *UDP* packets, not *TCP*. Therefore, if you want to
make your nameserver truly secure, you will turn off all UDP packets
at your firewall to your nameserver.
Please make sure that you do this ASAP, so as to protect
yourself against cache poisoning, DoS, and other spoofing attacks.
BTW, I am now filing a complaint with RCN to get your account
Brad Knowles, <brad.knowles at skynet.be>
More information about the bind-users