Disable TCP/53

dave.goldsmith at intelsat.com dave.goldsmith at intelsat.com
Fri Feb 22 18:43:25 UTC 2002


There have been a number of responses in the line of "your firewall is
broken -- fix it".  This is not necessarily the case. DNS uses TCP for two
reasons.  The first is zone transfers, the second is to return responses to
queries that are too large to fit in a UDP packet.

Regarding zone transfers, you should only allow authorized external
secondary DNS servers to do a zone transfer from your server.  Two security
settings can be applied here.  On the DNS server, you can specify a list of
servers authorized to pull zone files.  If you have a firewall of some sort,
you can also restrict access to TCP/53 to your DNS server to the same list
of authorized secondaries.  Restricting access to TCP/53 on the firewall
will interfere with the ability to use TCP for large query response but most
people don't have DNS records so complex or numerous that the responses
don't fit in UDP response packets.

Dave Goldsmith

> -----Original Message-----
> From: Tan Chun Han/ITNOC/PBB/PBBG [mailto:tanch at publicbank.com.my]
> Sent: Wednesday, February 20, 2002 9:15 PM
> To: bind-users at isc.org
> Subject: Disable TCP/53
> 
> Hi, our firewall keeps detecting and rejecting TCP/53 queries.
> Does bind by default use TCP/53 and UDP/53? Is there any way 
> to disable
> TCP/53, thus enabling UDP/53?
 

############################################################
This email message is for the sole use of the intended
recipient(s) and may contain confidential and privileged
information.  Any unauthorized review, use, disclosure or 
distribution is prohibited.  If you are not the intended 
recipient, please contact the sender by reply email and 
destroy all copies of the original message.  Any views 
expressed in this message are those of the individual 
sender, except where the sender specifically states them 
to be the views of Intelsat, Ltd. and its subsidiaries.
############################################################


More information about the bind-users mailing list