Disable TCP/53
Jim Reid
jim at rfc1035.com
Sat Feb 23 02:24:50 UTC 2002
>>>>> "dave" == dave goldsmith <dave.goldsmith at intelsat.com> writes:
dave> Regarding zone transfers, you should only allow authorized
dave> external secondary DNS servers to do a zone transfer from
dave> your server. Two security settings can be applied here. On
dave> the DNS server, you can specify a list of servers authorized
dave> to pull zone files. If you have a firewall of some sort,
dave> you can also restrict access to TCP/53 to your DNS server to
dave> the same list of authorized secondaries. Restricting access
dave> to TCP/53 on the firewall will interfere with the ability to
dave> use TCP for large query response but most people don't have
dave> DNS records so complex or numerous that the responses don't
dave> fit in UDP response packets.
While this is true it does not mean that it's OK to block or refuse
TCP queries to port 53. Some applications that make lots of lookups --
like netstat -- can use a TCP connection for their queries.
More information about the bind-users
mailing list