Restricting TCP / 53 on the firewall level
phn at icke-reklam.ipsec.nu
phn at icke-reklam.ipsec.nu
Mon Mar 25 21:12:33 UTC 2002
Barry Margolin <barmar at genuity.net> wrote:
> In article <a7o1ig$l98 at pub3.rc.vix.com>, <phn at icke-reklam.ipsec.nu> wrote:
>>
>>Kristin Gorman <kgorman at book.com> wrote:
>>> Does anyone see any issues with restricting TCP/53 on a firewall in front of
>>> your DNS server? There would be no legitimate query that would warrant an
>>> answer larger than 512 bytes. Zone transfers are done internally amongst
>>> machines behind the firewall.
>>
>>DNS requires UDP and TCP port 53.
>>
>>If you opt for breaking standards ( for whatever reason) you cannot
>>blame anyone but yourself for any time and efforts used to debug problems.
> A standard that a sizable fraction of the Internet community routinely
> breaks with no consequences can't really be too important. I'd say that
> this is in the same category as using RFC 1918 addresses on internal links
> to routable addresses -- more honored in the breach.
Until the day one spends a number of hours diagnozing a problem and it
turns out to be by this cause. Who should pay the hours ? Who to blame ?
>>Regarding sizes of answers, yes, legitimate answers might very well
>>be larger then 512 bytes ( hint, you might ask for something
>>that some other nameserver will need 550 bytes to answer.
> I assume he's only talking about blocking *incoming* connections, not
> connections that his nameserver initiates. In that case, he controls the
> size of the answers.
Well, She ( hi kristin ! ) did not limit to one direction only. And sometimes
a nameservers will ask queries too.
> --
> Barry Margolin, barmar at genuity.net
> Genuity, Woburn, MA
> *** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
> Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.
--
Peter Håkanson
IPSec Sverige (At the Riverside of Gothenburg, home of Volvo)
Sorry about my e-mail address, but i'm trying to keep spam out.
Remove "icke-reklam" and it works.
More information about the bind-users
mailing list