Best ipfw Rules for DNS-SEC
Joseph S D Yao
jsdy at tux.org
Sat Mar 26 12:46:19 UTC 2011
On Tue, Mar 15, 2011 at 01:08:57PM -0500, Martin McCormick wrote:
> Is there a recommended set of firewall rules that insure that all
> necessary DNS traffic can enter and leave, even the larger
> packets that result from dns-sec?
>
> We want port 53 traffic from anywhere, in this case and
> can send it anywhere, and want to be sure that no port 53
> traffic is being lost.
Many people say "port 53" without specifying that DNS queries need both
UDP port 53 and TCP port 53 for larger queries. Also, not that ipfw
checks this, but many firewalls come with large UDP packets blocked,
this breaking EDNS0. Although there is no firm upper limit, there is a
suggested upper limit of 4096 bytes for EDNS0.
--
/*********************************************************************\
**
** Joe Yao jsdy at tux.org - Joseph S. D. Yao
**
\*********************************************************************/
More information about the bind-users
mailing list