Russell,

On Sun, 30 Dec 2001, Russell Coker wrote:

> 
> Also don't allow recursion from outside machines.

Why does this help?

> 
> Another possibility is to have the port for outgoing connections be something 
> other than 53 (54 seems unused) and use iptables or ipchains to block data 
> from the outside world coming to port 53.
> 
        Security through obscurity? Quite frankly, I find this strategy
annoying. Nothing annoys me more than finding out that I have to open up
yet another hole in my firewall so that I can access another idiot who has
set up his webserver at port 1080, or 8080 or whatever his fancy pleases.
If your service isnt secure at the IANA designated port, why would it be
secure at the new one?

        Of course, in the case of DNS servers, you could be OK, since you
do want to lessen the number of folks who use your services (right?). But
in general, I consider this to be poor advice.

Regards,
Jor-el

Reply via email to