Yes, zone transfers use tcp. But normal queries can use both tcp and udp. Tcp
is required if the response is more than one udp packet (512 bytes); this isn't
very common, but, for example, the aol.com MX records are easily bigger than
this.
Yes, the best way to control who can do queries is with the options in bind 8.
Note that most nameserver to nameserver queries (which is what your nameserver
will be doing when it gets a (recursive) request from your internal network) are
done with a source port of 53; most versions of bind do it this way. That means
the responses from the Internet come back to port 53. If your nameserver does
this (you might have to trace it), you shouldn't block inbound port 53.
Tony Rall
Vesselin Mladenov <[EMAIL PROTECTED]> on 07/03/1999 19:06:24
wrote:
TCP is for zone transfers (master->slave), while UDP is used for DNS queries
and zone notifications.
It is a good idea to let the other world query your DNS server, so domain(s)
for which you're authoritive be
resolved. It is a good idea to be a slave zone of the zone for reverse
resolving (unless you have delegation for it).
This way you can speed up your DNS.
Also you can assign domain names to the hosts in your private (as far as I
understood) network and to run a zone for reverse
resolving for that private nets, This way services that try to resolve IPs
will not wait for DNS to try to resolve these IPs.
In bind>8.2 it is possible to restrict incoming queries for each zone.
If you don't want to let others make zone transfers from you, you cat add the
permitted hosts either in the access list of the DNS
server or put a firewall that denies incoming TCP packets woth SYN flag set.
Also check out http://www.isc.org/ and look for bind
Good luck
Vanja Hrustic wrote:
> Small & silly problem.
>
> Intranet ==> DNS ==> Intenet
>
> In this case, DNS is the machine that has assigned 'normal' IP address
> (visible/accessible from Internet), and is used to resolve Internet
> addresses for Intranet users.
>
> The question.
>
> Is there any reason why DNS server should accept connections at port 53
> (tcp or/and udp) from the 'outer' world? As much as I can understand, there
> is no need. But... I ask, just to make sure :)
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
