Restricting TCP / 53 on the firewall level
Jim Reid
jim at rfc1035.com
Mon Mar 25 18:55:58 UTC 2002
>>>>> "Kristin" == Kristin Gorman <kgorman at book.com> writes:
Kristin> Does anyone see any issues with restricting TCP/53 on a
Kristin> firewall in front of your DNS server? There would be no
Kristin> legitimate query that would warrant an answer larger than
Kristin> 512 bytes. Zone transfers are done internally amongst
Kristin> machines behind the firewall.
Kristin> I've seen postings that say it is not wise to do, but I
Kristin> cannot see any legitimate reasons not to.
Well I cannot see any legitimate reasons to block DNS service over
TCP. You cannot expect the rest of the internet to comply with your
abitrary and unilateral action like this. [What do you hope to achieve
by blocking TCP queries? What purpose will this serve?] For one thing,
you cannot be sure that truncation -- => TCP retries -- will never
happen. For another, some clients use TCP by default. Here's an
extract from the man page for sethostent(), which some applications
like netstat use as a precursor to hostname or address lookups:
Sethostent() may be used to request the use of a connected TCP socket for
queries. If the stayopen flag is non-zero, this sets the option to send
all queries to the name server using TCP and to retain the connection af-
ter each call to gethostbyname() or gethostbyaddr().
More information about the bind-users
mailing list