On 04/04/2000 at 21:09:42 EST, Bill Lavalette noc/sec Administrator
<[EMAIL PROTECTED]> wrote:
> TCP 53 you would want to reject zone transfers from unauthorized hosts
> this is one of the single most "doh's!! " when setting DNS security a
would
> be attacker wouldn't even have to scan a class c to get the recon info he
> needs to launch assaults. it would be all mapped out for him/her in a
nice
> neat zone file.
Zone transfers should be blocked (if you want to do this) with directives
to your dns server code (ususally bind). It shouldn't be done by blocking
53/tcp.
Blocking tcp blocks legitimate, non-zone-transfer dns traffic. Do you
really want to do this? Not only will your setup be violating rfcs, but
some clients or applications simply may not be able to use your site. (I
suspect there are folks that will say that they don't allow 53/tcp and it
doesn't seem to be hurting anything. Maybe they should more closely
investigate their firewall logs and complaints from external users.)
Tony Rall
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
