Disable TCP/53

Kevin Darcy kcd at daimlerchrysler.com
Fri Feb 22 23:03:08 UTC 2002 

What are you so paranoid about? We've had zone-transfers open for years and not
once have we suffered from an AXFR DoS attack. Is all the maintenance of those
firewall rules buying your organization any real security, or is it just
feeding some PHB's gnawing case of paranoia? How many times have you had zone
transfers *break* because an off-site slave re-addressed their server and
forget to tell you about it?

Oh, and what do you plan to *if* some day your DNS maintainers decide to create
an RRset which will cause responses to overflow 512 bytes? Will you get enough
advance notice so that you can modify your firewall rules accordingly, or will
things just break unexpectedly?

If you're *that* paranoid about zone transfers, then use TSIG to restrict
access. But leave TCP/53 open on the firewalls. That's the only practical
option, IMO.


- Kevin


dave.goldsmith at intelsat.com wrote:

> There have been a number of responses in the line of "your firewall is
> broken -- fix it".  This is not necessarily the case. DNS uses TCP for two
> reasons.  The first is zone transfers, the second is to return responses to
> queries that are too large to fit in a UDP packet.
>
> Regarding zone transfers, you should only allow authorized external
> secondary DNS servers to do a zone transfer from your server.  Two security
> settings can be applied here.  On the DNS server, you can specify a list of
> servers authorized to pull zone files.  If you have a firewall of some sort,
> you can also restrict access to TCP/53 to your DNS server to the same list
> of authorized secondaries.  Restricting access to TCP/53 on the firewall
> will interfere with the ability to use TCP for large query response but most
> people don't have DNS records so complex or numerous that the responses
> don't fit in UDP response packets.
>
> Dave Goldsmith
>
> > -----Original Message-----
> > From: Tan Chun Han/ITNOC/PBB/PBBG [mailto:tanch at publicbank.com.my]
> > Sent: Wednesday, February 20, 2002 9:15 PM
> > To: bind-users at isc.org
> > Subject: Disable TCP/53
> >
> > Hi, our firewall keeps detecting and rejecting TCP/53 queries.
> > Does bind by default use TCP/53 and UDP/53? Is there any way
> > to disable
> > TCP/53, thus enabling UDP/53?

More information about the bind-users mailing list