Vulnerability to cache poisoning -- the rest of the solution
Mark Andrews
Mark_Andrews at isc.org
Mon Jul 14 22:47:47 UTC 2008
> If that's the case why wouldn't we have needed to open firewall to allow
> this behavior for tcp?
No, because your firewall is most probably open for all
outgoing TCP connections or else FTP, HTTP to non standard
ports, etc. will not work. A stateless firewall can still
look at the flag bits in a TCP header and only allow a
connection to establish itself if it comes from inside.
UDP, being a connectionless protocol, needs the firewall
to keep state. To avoid having to keep state (or if you
only have a stateless firewall) one could configure named
to use a fixed port to make queries. The fixed port was
often choosen was 53 because named was usually also serving
zones and that meant only one hole in the firewall needed
to be open.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list