hi vanja,
> I've heard various comments on this, so I want to double-check it.
>
> Is it ok if only UDP/53 is left open, to serve DNS requests? As much as
> I have understood, I can safely close TCP/53. The server in question is
> a 'small' one (meaning: not so many requests per day, and only requests
> for www/dns/mail will probably come there anyway).
>
> I have been looking at the traffic for past 24 hours, and as much as I
> can see, everything works fine (some requests come first to TCP/53, but
> they are resent after few secs to UDP/53). However, I might break
> something without knowing it :)
you don't say what your server software is, but it's most probably
bind or based on bind...
all versions of bind can use tcp for results.
if you want to restrict zone transfers to secondary name servers
do so in your named.conf/named.boot file. see the bind docs for
more details. you can find those from links at:
http://www.isc.org/view.cgi?/products/BIND/index.phtml
for a complete explanation on how bind uses port numbers see:
http://www.intac.com/~cdp/cptd-faq/section2.html#ports
or check out RFC 1035:
http://www.crynwr.com/crynwr/rfc1035/rfc1035.html
there is also a doc. on securing DNS servers which might help:
http://www.acmebw.com/securing/Securing.PDF
hope this helps,
pauline
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
