Disable TCP/53

phn at icke-reklam.ipsec.nu phn at icke-reklam.ipsec.nu
Sat Feb 23 08:50:32 UTC 2002 

dave.goldsmith at intelsat.com wrote:

> There have been a number of responses in the line of "your firewall is
> broken -- fix it".  This is not necessarily the case. DNS uses TCP for two
> reasons.  The first is zone transfers, the second is to return responses to
> queries that are too large to fit in a UDP packet.

The third is to answer queries that has beeen done using TCP. 

Remember that one of the big irons once had a version of their un*x that
actually defaulted to TCP. Blocking TCP would prevent all of these
from ever asking such a nameserver.

And it's no option either, it's specifially required 
( rfc1123 6.1.3.2  Transport Protocols)


> Regarding zone transfers, you should only allow authorized external
> secondary DNS servers to do a zone transfer from your server.  Two security
> settings can be applied here.  On the DNS server, you can specify a list of
> servers authorized to pull zone files.  If you have a firewall of some sort,
> you can also restrict access to TCP/53 to your DNS server to the same list
> of authorized secondaries.  Restricting access to TCP/53 on the firewall
> will interfere with the ability to use TCP for large query response but most
> people don't have DNS records so complex or numerous that the responses
> don't fit in UDP response packets.

Unless one uses some broken implementations of dynamic update that
causes multiple records of the same "key" , this may easily create 
lots of records too big for an UDP answer.

> Dave Goldsmith

>> -----Original Message-----
>> From: Tan Chun Han/ITNOC/PBB/PBBG [mailto:tanch at publicbank.com.my]
>> Sent: Wednesday, February 20, 2002 9:15 PM
>> To: bind-users at isc.org
>> Subject: Disable TCP/53
>> 
>> Hi, our firewall keeps detecting and rejecting TCP/53 queries.
>> Does bind by default use TCP/53 and UDP/53? Is there any way 
>> to disable
>> TCP/53, thus enabling UDP/53?
>  

> ############################################################
> This email message is for the sole use of the intended
> recipient(s) and may contain confidential and privileged
> information.  Any unauthorized review, use, disclosure or 
> distribution is prohibited.  If you are not the intended 
> recipient, please contact the sender by reply email and 
> destroy all copies of the original message.  Any views 
> expressed in this message are those of the individual 
> sender, except where the sender specifically states them 
> to be the views of Intelsat, Ltd. and its subsidiaries.
> ############################################################


-- 
Peter Håkanson         
        IPSec  Sverige      (At the Riverside of Gothenburg, home of Volvo)
           Sorry about my e-mail address, but i'm trying to keep spam out.
	   Remove "icke-reklam" and it works.

More information about the bind-users mailing list