babu dheen wrote on 03/25/2013 12:21:30 PM: > Still not convinced because if i need to allow >1024 port from our > DNS server to external world(internet).. where is the security?
Total security requires total isolation. It is a matter of accepting some risks to perform the needed task. > I beleive we just need to allow TCP and UDP 53 from our DNS server > to internet(any) which is already done. Not sure why we have to open > non standard port from our DNS server to internet? > > Kindly provide some details. You send request via UDP from random high port to an authoritative server. Answer is too large to fit in UDP packet, so it responds via TCP to the source port of the request (random high port from above). If you block that TCP connection, you cannot receive answer to your query. Another reason for TCP replies is DNS Response Rate Limiting (RRL). Some "modern" stateful firewalls understand DNS and if there is a UDP packet sent to port 53, it will accept TCP connections back from the destination address on port 53 to the source address/port. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users