Restricting TCP / 53 on the firewall level

phn at icke-reklam.ipsec.nu phn at icke-reklam.ipsec.nu
Mon Mar 25 21:12:33 UTC 2002 

Barry Margolin <barmar at genuity.net> wrote:
> In article <a7o1ig$l98 at pub3.rc.vix.com>,  <phn at icke-reklam.ipsec.nu> wrote:
>>
>>Kristin Gorman <kgorman at book.com> wrote:
>>> Does anyone see any issues with restricting TCP/53 on a firewall in front of
>>> your DNS server?  There would be no legitimate query that would warrant an
>>> answer larger than 512 bytes.  Zone transfers are done internally amongst
>>> machines behind the firewall.
>>
>>DNS requires UDP and TCP port 53. 
>>
>>If you opt for breaking standards ( for whatever reason) you cannot
>>blame anyone but yourself for any time and efforts used to debug problems.

> A standard that a sizable fraction of the Internet community routinely
> breaks with no consequences can't really be too important.  I'd say that
> this is in the same category as using RFC 1918 addresses on internal links
> to routable addresses -- more honored in the breach.

Until the day one spends a number of hours diagnozing a problem and it
turns out to be by this cause. Who should pay the hours ? Who to blame ?


>>Regarding sizes of answers, yes, legitimate answers might very well
>>be larger then 512 bytes ( hint, you might ask for something 
>>that some other nameserver will need 550 bytes to answer.

> I assume he's only talking about blocking *incoming* connections, not
> connections that his nameserver initiates.  In that case, he controls the
> size of the answers.

Well, She ( hi kristin ! ) did not limit to one direction only. And sometimes
a nameservers will ask queries too.

> -- 
> Barry Margolin, barmar at genuity.net
> Genuity, Woburn, MA
> *** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
> Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.


-- 
Peter Håkanson         
        IPSec  Sverige      (At the Riverside of Gothenburg, home of Volvo)
           Sorry about my e-mail address, but i'm trying to keep spam out.
	   Remove "icke-reklam" and it works.

More information about the bind-users mailing list