> First I would filter all ports on the DNS server and only open those
> necessary. These might include udp/tcp 53 to the world and ssh from select
> internal hosts. Verify you are always running the latest version of BIND
> (probably in the 9.x series) or possibly you have switched over to a
> better solution (djbdns)[1].
I wouldn't recommend allowing tcp 53 unless you absolutely have to and then
only with a trusted DNS server. TCP is normally used for zone transfers and
you don't want to give away that information.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
