--On Tuesday, 04 April, 2000 20:22 -0700 [EMAIL PROTECTED] wrote:
> On 04/04/2000 at 21:09:42 EST, Bill Lavalette noc/sec Administrator
> <[EMAIL PROTECTED]> wrote:
>> TCP 53 you would want to reject zone transfers from unauthorized hosts
>> this is one of the single most "doh's!! " when setting DNS security a
> would
>> be attacker wouldn't even have to scan a class c to get the recon info
>> he needs to launch assaults. it would be all mapped out for him/her in a
> nice
>> neat zone file.
>
> Zone transfers should be blocked (if you want to do this) with directives
> to your dns server code (ususally bind). It shouldn't be done by
> blocking 53/tcp.
>
> Blocking tcp blocks legitimate, non-zone-transfer dns traffic. Do you
> really want to do this? Not only will your setup be violating rfcs, but
> some clients or applications simply may not be able to use your site. (I
> suspect there are folks that will say that they don't allow 53/tcp and it
> doesn't seem to be hurting anything. Maybe they should more closely
> investigate their firewall logs and complaints from external users.)
its potentially worse than that: if, for whatever reason, things get too
large
(as paul robertson implied), then things would stop working. that might not
be desirable.
-paul
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
