Disable TCP/53

Tan Chun Han/ITNOC/PBB/PBBG tanch at publicbank.com.my
Tue Feb 26 00:58:03 UTC 2002


what you've mentioned was our exact config.
Another thing that i want to stress is, we are not being "paraniod" about
disabling TCP53!
Couldn't find an option to do that, so i posted it to the newsgroups.

Anyhow, thank you all for your valuable comments!


dave at daveanderson.com@isc.org on 25/02/2002 11:34:44 PM

Please respond to dave at daveanderson.com

Sent by:  bind-users-bounce at isc.org

To:   comp-protocols-dns-bind at isc.org

Subject:  Re: Disable TCP/53

In <a51lf7$o0f at pub3.rc.vix.com>, "Tan Chun Han/ITNOC/PBB/PBBG"
<tanch at publicbank.com.my> writes:
>Hi, our firewall keeps detecting and rejecting TCP/53 queries.
>Does bind by default use TCP/53 and UDP/53? Is there any way to disable
>TCP/53, thus enabling UDP/53?

As people with much better knowledge than I have already said, a
nameserver must listen and reply on port 53 for both UDP and TCP.

If you want (or are required) to be very paranoid about this, the
obvious thing to do is to contract with someone outside your firewall to
provide nameservice for you.  If the only reason for not doing this is
that you want to be able to update your zones without going through a
third party, a technique which seems to work well is to contract for
secondary nameservice only and run a hidden primary nameserver inside
your firewall with the firewall configured to block all incoming traffic
for port 53 (both TCP and UDP) unless it is between the outside
secondary nameservers and your hidden primary nameserver.  [To allow
blocking all other UDP/53 traffic you must also configure all systems
inside your firewall to send DNS requests to a small number of
nameservers inside the firewall, configure those nameservers to forward
all requests for which they are not authoritative to some small number
of nameservers outside the firewall (here again, you'll need to contract
with someone), and configure the firewall to also allow incoming UDP
port 53 traffic from those outside namservers to the inside ones.]  This
sounds complicated but (with the possible exception of contract issues)
is actually pretty straightforward.


Dave Anderson
<dave at daveanderson.com>

More information about the bind-users mailing list