telnet to port 53

[Jim Reid]

>>>>> "Donal" == Donal Diamond <ddiamond at indigo.ie> writes:

    Donal> I am using BIND 8.2.2 patchlevel 5 as a caching only server
    Donal> on FreeBSD 3.3-STABLE.  In the interests of security I want
    Donal> to disable named running on TCP port 53. I only want UDP 53
    Donal> open.  As I have been told a golden rule in securing a box
    Donal> is to get rid of services that are not needed.  I would
    Donal> prefer to be able to disable TCP port 53 using some startup
    Donal> option on BIND rather than filtering it out using a
    Donal> firewall. Is this possible?

Not unless you hack the source code. And you'd be violating the DNS
specs by not having your name server listen on TCP port 53. Though
most DNS lookups use UDP, TCP has to be there to handle truncated
replies. If an answer is too big for a UDP response, the resolver is
supposed to repeat the query using TCP so that they get the whole of
the answer. If your name server isn't listening on TCP port 53, this
won't be possible.

You'll also break any resolvers (clients) which use TCP. Sometimes
resolvers will use a TCP connection to talk to a name server when they
know they're going to make lots of lookups - see the RES_USEVC and
RES_STAYOPEN options in resolv.h. Oh and zone transfers *always* use
TCP, though admittedly this wouldn't be an issue for your caching-only
name server.

I'm curious why you think disabling TCP traffic to port 53 on your
name server is "in the interests of security". If you block this
traffic, it's tantamount to denying DNS service. You might as well not
bother running a name server on that system, even though TCP queries
might be rare events.