tcp/udp, clarification please
Brad Knowles
brad.knowles at skynet.be
Thu Oct 11 15:09:37 UTC 2001
At 10:04 AM -0400 2001/10/11, Eoin Miller wrote:
> how would having no TCP access to my DNS servers prevent adoption of better
> security tools?
Because advanced DNS security measures like TSIG and DNSSEC
make the packets so large that they are almost certainly guaranteed
to be too big to fit into a single UDP packet?
> my zone transfers would still be going over TCP because i
> have a firewall/DMZ setup, and behind the firewall TCP is allowed to
> transfer between the boxes, but to the outside world only UDP is accessable,
This is fundamentally the wrong way to do it. Allow both TCP
and UDP through to your nameserver, and then use the mechanisms built
into the nameserver software (e.g., BIND) to restrict who is/is not
allowed to perform a zone transfer.
If you choose to configure your nameserver in any other
fashion, you're welcome to support the thing entirely and completely
on your own, but please don't ask anyone else in the world for any
help.
And once again, I must ask you to stop lying about your
return e-mail address, and causing e-mail replies to be sent back to
the US Federal Trade Commission. If anything, by this action, you
are as bad as (or worse) a criminal than all the spammers out there.
If you continue to participate in this illegal activity, then
I will be forced to contact the appropriate people at RCN and begin
proceedings to have your account terminated.
--
Brad Knowles, <brad.knowles at skynet.be>
H4sICIFgXzsCA2RtYS1zaWcAPVHLbsMwDDvXX0H0kkvbfxiwVw8FCmzAzqqj1F4dy7CdBfn7
Kc6wmyGRFEnvvxiWQoCvqI7RSWTcfGXQNqCUAnfIU+AT8OZ/GCNjRVlH0bKpguJkxiITZqes
MxwpSucyDJzXxQEUe/ihgXqJXUXwD9ajB6NHonLmNrUSK9nacHQnH097szO74xFXqtlbT3il
wMsBz5cnfCR5cEmci0Rj9u/jqBbPeES1I4PeFBXPUIT1XDSOuutFXylzrQvGyboWstCoQZyP
dxX4dLx0eauFe1x9puhoi0Ao1omEJo+BZ6XLVNaVpWiKekxN0VK2VMpmAy+Bk7ZV4SO+p1L/
uErNRS/qH2iFU+iNOtbcmVt9N16lfF7tLv9FXNj8AiyNcOi1AQAA
More information about the bind-users
mailing list