Disable TCP/53
phn at icke-reklam.ipsec.nu
phn at icke-reklam.ipsec.nu
Sat Feb 23 08:50:32 UTC 2002
dave.goldsmith at intelsat.com wrote:
> There have been a number of responses in the line of "your firewall is
> broken -- fix it". This is not necessarily the case. DNS uses TCP for two
> reasons. The first is zone transfers, the second is to return responses to
> queries that are too large to fit in a UDP packet.
The third is to answer queries that has beeen done using TCP.
Remember that one of the big irons once had a version of their un*x that
actually defaulted to TCP. Blocking TCP would prevent all of these
from ever asking such a nameserver.
And it's no option either, it's specifially required
( rfc1123 6.1.3.2 Transport Protocols)
> Regarding zone transfers, you should only allow authorized external
> secondary DNS servers to do a zone transfer from your server. Two security
> settings can be applied here. On the DNS server, you can specify a list of
> servers authorized to pull zone files. If you have a firewall of some sort,
> you can also restrict access to TCP/53 to your DNS server to the same list
> of authorized secondaries. Restricting access to TCP/53 on the firewall
> will interfere with the ability to use TCP for large query response but most
> people don't have DNS records so complex or numerous that the responses
> don't fit in UDP response packets.
Unless one uses some broken implementations of dynamic update that
causes multiple records of the same "key" , this may easily create
lots of records too big for an UDP answer.
> Dave Goldsmith
>> -----Original Message-----
>> From: Tan Chun Han/ITNOC/PBB/PBBG [mailto:tanch at publicbank.com.my]
>> Sent: Wednesday, February 20, 2002 9:15 PM
>> To: bind-users at isc.org
>> Subject: Disable TCP/53
>>
>> Hi, our firewall keeps detecting and rejecting TCP/53 queries.
>> Does bind by default use TCP/53 and UDP/53? Is there any way
>> to disable
>> TCP/53, thus enabling UDP/53?
>
> ############################################################
> This email message is for the sole use of the intended
> recipient(s) and may contain confidential and privileged
> information. Any unauthorized review, use, disclosure or
> distribution is prohibited. If you are not the intended
> recipient, please contact the sender by reply email and
> destroy all copies of the original message. Any views
> expressed in this message are those of the individual
> sender, except where the sender specifically states them
> to be the views of Intelsat, Ltd. and its subsidiaries.
> ############################################################
--
Peter Håkanson
IPSec Sverige (At the Riverside of Gothenburg, home of Volvo)
Sorry about my e-mail address, but i'm trying to keep spam out.
Remove "icke-reklam" and it works.
More information about the bind-users
mailing list