Restricting TCP / 53 on the firewall level
Jim Reid
jim at rfc1035.com
Tue Mar 26 09:29:50 UTC 2002
>>>>> "Barry" == Barry Margolin <barmar at genuity.net> writes:
>> That may be your experience. But it still doesn't make the
>> practice of blocking TCP queries right or sensible.
Barry> True interoperability means complying with de facto
Barry> standards, not just official standards. Any application
Barry> that depends critically on TCP DNS to remote servers is
Barry> likely not fully interoperable, because so many sites
Barry> firewall their DNS servers in this way. Reality bites.
So much for the principle of "be liberal in what you accept and
conservative about what you send": the true cornerstone of
interoperability.
Barry> I'm not actively promoting blocking TCP DNS, just letting
Barry> him know that it's unlikely anything horrible will result,
Barry> because many others get away with it as well.
Barry> Sometimes when the security guys are breathing down your
Barry> neck, it's OK to compromise rather than fight them.
If the security guys are so clueless that they think blocking DNS over
TCP "improves security", then it's time to educate them about the real
world. Or quit if they can't/won't listen because it's not worth
fighting that battle. I disagree with your claim of "not actively
promoting blocking TCP DNS". You said this was harmless in your
experience. Unless you'd said that blocking TCP queries was a Very
Good Thing, your statement could hardly provide more encouragement for
this stupid and pointless behaviour.
More information about the bind-users
mailing list