firewall config....what to open....tcp or udp port 53?

Saad Kadhi bsdguy at docisland.org
Wed Oct 23 07:19:25 UTC 2002


On Wed, Oct 23, 2002 at 10:11:18AM +0800, Elias wrote:
> Hi guys,
> 
> DNS queries are done via UDP port 53 only right? I want to completely block all zone transfer request, so can I block tcp port 53 on my firewall? Or do i still need to open that port? Thanks.

DNS queries are mostly done via UDP. However, when the DNS msg is too big to fit
in a UDP packet, DNS will use TCP for queries. So I'd keep tcp/53 open as well
unless 100% sure all DNS msgs will fit into a UDP packet.

IMHO, Restricting zone xfers should not be done at the firewall but rather at the
named level by using 'allow-transfer' substatements and eventually combining
this with TSIG keys.

-- 
Saad Kadhi -- [saad at docisland.org] [bsdguy at docisland.org]
[pgp keyid: 35592A6D http://pgp.mit.edu]
[pgp fingerprint: BF7D D73E 1FCF 4B4F AF63  65EB 34F1 DBBF 3559 2A6D]
---
"Si ce que tu dis n'est ni beau, ni bon, ni vrai, alors tais-toi!"
							    - Socrate


More information about the bind-users mailing list