Hi there... when you're ready to release this, please send a note to
'[EMAIL PROTECTED]' and we'll add it to the list of HOWTOs. If you
can host it somewhere yourself, then just send us the URL. If you need us
to host it, send the document along and I can throw it up on e-smith.org.
> =================================================================
> == Security
> =================================================================
> I am limiting packets to be of type UDP on port 53. Since TCP packages are
> used for ZONE update requests. Is this enough, or is there more rules I can
> put in IPchains?
My understanding of DNS *client* resolver behavior was that the client
first tries to send a UDP query on port 53 to the target DNS server. In
normal conditions, the DNS server gets the UDP query and sends back a
response via UDP. However, if the client does not receive the UDP query
back, it makes the assumption that the packet is getting lost somewhere
and the DNS client initiates a TCP connection to the DNS server.
So if you limit the server to receiving UDP packets, there may be
some (probably rare) cases where DNS clients would be unable to retrieve
the information from your DNS server (because they flip to TCP).
My 2 cents,
Dan
--
Dan York, Director of Training [EMAIL PROTECTED]
Ph: +1-613-751-4401 Mobile: +1-613-263-4312 Fax: +1-613-564-7739
e-smith, inc. 150 Metcalfe St., Suite 1500, Ottawa,ON K2P 1P1 Canada
http://www.e-smith.com/ open source, open mind
