Disable TCP/53

Jim Reid jim at rfc1035.com
Sat Feb 23 02:24:50 UTC 2002

>>>>> "dave" == dave goldsmith <dave.goldsmith at intelsat.com> writes:

    dave> Regarding zone transfers, you should only allow authorized
    dave> external secondary DNS servers to do a zone transfer from
    dave> your server.  Two security settings can be applied here.  On
    dave> the DNS server, you can specify a list of servers authorized
    dave> to pull zone files.  If you have a firewall of some sort,
    dave> you can also restrict access to TCP/53 to your DNS server to
    dave> the same list of authorized secondaries.  Restricting access
    dave> to TCP/53 on the firewall will interfere with the ability to
    dave> use TCP for large query response but most people don't have
    dave> DNS records so complex or numerous that the responses don't
    dave> fit in UDP response packets.

While this is true it does not mean that it's OK to block or refuse
TCP queries to port 53. Some applications that make lots of lookups --
like netstat -- can use a TCP connection for their queries.

More information about the bind-users mailing list