Hello,
My thanks to you both for the info. Yes, I am referring only to inbound
queries from the Great Unknown (GU). My DNS system is essentially a
split-DNS with the internal DNS server passing requests to the firewall DNS
server. It in turn, makes the requests to the world. The firewall server
is authoritative for our domain, and only contains a few entries we wish
exposed. Zone transfer requests are limited to our ISPs servers.
I wonder if, since our server will never return a packet large enough to
warrant requiring a tcp response to the query, I even need to allow inbound
(from the GU) tcp DNS requests from servers other than our ISPs servers -
or is it considered good practice to generallyt allow inbound udp _and_ tcp
requests and let the DNS server worrying about who is allowed to initiate a
zone transfer?
> > > > Allow ANY source port for your DNS queries.
Concensus seems to indicate that allowing queries from the GU with any
source port to udp port 53 on the DNS server are okay. I had restricted it
earlier to just 53 and 1024:65535, but given the report of Firewall-1
rewriting packets with source port 53 to something like 512 or so, I see
the requirement to allow this (although, I've not seen these types of
denied packets in my logs to date).
Cheers!
Jon
-----------------------------------------------------------------
Jon Earle (613) 612-0946 (Cell)
HUB Computer Consulting Inc. (613) 830-1499 (Office)
http://www.hubcc.ca 1-888-353-7272 (Within Canada/US)
"God does not subtract from one's alloted time on Earth,
those hours spent flying." --Unknown
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
