Restricting TCP / 53 on the firewall level
phn at icke-reklam.ipsec.nu
phn at icke-reklam.ipsec.nu
Mon Mar 25 20:25:45 UTC 2002
Kristin Gorman <kgorman at book.com> wrote:
> Does anyone see any issues with restricting TCP/53 on a firewall in front of
> your DNS server? There would be no legitimate query that would warrant an
> answer larger than 512 bytes. Zone transfers are done internally amongst
> machines behind the firewall.
DNS requires UDP and TCP port 53.
If you opt for breaking standards ( for whatever reason) you cannot
blame anyone but yourself for any time and efforts used to debug problems.
Regarding sizes of answers, yes, legitimate answers might very well
be larger then 512 bytes ( hint, you might ask for something
that some other nameserver will need 550 bytes to answer.
> I've seen postings that say it is not wise to do, but I cannot see any
> legitimate reasons not to.
And i cannot see any reasons to deliberatly breaking things. Not even
beneicial for you security in this case.
> Thanks in advance,
> Kristin Gorman
> Platform Engineer
> Barnes&Noble.com
> 212-414-6627
--
Peter Håkanson
IPSec Sverige (At the Riverside of Gothenburg, home of Volvo)
Sorry about my e-mail address, but i'm trying to keep spam out.
Remove "icke-reklam" and it works.
More information about the bind-users
mailing list