> Allow ANY source port for your DNS queries.
This is a very BAD practice. There are intruders out there RIGHT
NOW who are using port 53 as the source port to perform UDP service scans
and to access things like tftp when and where they find them!
If you want to do it right, set up a forwarding caching DNS server
somewhere where you can control access to it and let it do all your DNS
work for you. Then you can restrict your DNS filters to one and only
one address. All your internal sites have to go through that server.
Actually - If you want to "do it right" and don't want or need a caching server, what
you want to do is ONLY allow port 53 UDP traffic between your hosts and the external
DNS server through the use of a Access Control Lists on your router/firewall.
remember DENY EVERYTHING PERMIT ONLY WHAT YOU NEED (and ONLY from whom you need to get
it from).
my .02..
Marc..
+++++++++++++++++++++++
Marc Renner - Director http://ci.marysville.wa.us
Network Operations Dept. Mailto:[EMAIL PROTECTED]
City of Marysville, Wa. (360) 651-5000
+++++++++++++++++++++++
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
