Vanja Hrustic wrote:
>
> I've heard various comments on this, so I want to double-check it.
>
> Is it ok if only UDP/53 is left open, to serve DNS requests? As much as
> I have understood, I can safely close TCP/53. The server in question is
> a 'small' one (meaning: not so many requests per day, and only requests
> for www/dns/mail will probably come there anyway).
1) Several people have said that if the request or response is above a
certain size, TCP may be used. I've also heard some retry mechanisms
switch from UDP to TCP.
2) I know from personal experience that in some circumstances applications
will break if you block incoming TCP 53. Case in point: AOL Instant Messenger
quit working here for campus users. It quit working several hours after
the block was installed and it took several hours for functionality
to return when it was removed. Instead of depending upon a TCP-53
block, we reconfigured our name servers to deny zone transfers except
to official secondary name servers.
Anyway, I'm not sure of the usefulness of simply blocking zone transfers. Its
too easy to crawl through the reverse name space one address at a time
with or without a preexisting map of existing systems derived from scans.
Splitting your DNS servers so that only publicly accessible machines have
their names available is a more secure solution.
gary
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
