Restricting TCP / 53 on the firewall level
Pete Ehlke
pde at ehlke.net
Mon Mar 25 18:25:40 UTC 2002
On Mon, Mar 25, 2002 at 12:56:49PM -0500, Kristin Gorman wrote:
> Does anyone see any issues with restricting TCP/53 on a firewall in front of
> your DNS server? There would be no legitimate query that would warrant an
> answer larger than 512 bytes. Zone transfers are done internally amongst
> machines behind the firewall.
>
> I've seen postings that say it is not wise to do, but I cannot see any
> legitimate reasons not to.
>
Section 4.2 of rfc 1035 is pretty clear. Datagrams are *preferred* for
query activity, but queries of any sort may take place over TCP. If you
block TCP, or use a server that does not respond to TCP queries, your
name service is broken as implemented.
What issue do you percieve with TCP queries that would cause you to want to
block them?
-Pete
--
"religious fanatics are not part of my desired user base."
- djb at cr.yp.to
More information about the bind-users
mailing list