Restricting TCP / 53 on the firewall level
Barry Margolin
barmar at genuity.net
Mon Mar 25 20:55:37 UTC 2002
In article <a7o1ig$l98 at pub3.rc.vix.com>, <phn at icke-reklam.ipsec.nu> wrote:
>
>Kristin Gorman <kgorman at book.com> wrote:
>> Does anyone see any issues with restricting TCP/53 on a firewall in front of
>> your DNS server? There would be no legitimate query that would warrant an
>> answer larger than 512 bytes. Zone transfers are done internally amongst
>> machines behind the firewall.
>
>DNS requires UDP and TCP port 53.
>
>If you opt for breaking standards ( for whatever reason) you cannot
>blame anyone but yourself for any time and efforts used to debug problems.
A standard that a sizable fraction of the Internet community routinely
breaks with no consequences can't really be too important. I'd say that
this is in the same category as using RFC 1918 addresses on internal links
to routable addresses -- more honored in the breach.
>Regarding sizes of answers, yes, legitimate answers might very well
>be larger then 512 bytes ( hint, you might ask for something
>that some other nameserver will need 550 bytes to answer.
I assume he's only talking about blocking *incoming* connections, not
connections that his nameserver initiates. In that case, he controls the
size of the answers.
--
Barry Margolin, barmar at genuity.net
Genuity, Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.
More information about the bind-users
mailing list