Actually Jack, in the wild you will see a significant portion of requests
coming from port 53. I forget why off the top of my head, but it does
happen. Also, remember that the >1024 is a Unix'ism and isn't true in the
Windows world.
Lastly, 53/tcp is not only used for zone transfers. It can be used for
"normal lookups" too. I forget what the threshold the RFC states, but any
communication beyond a certain number of bytes will be done over TCP
regardless if it is a regular lookup or zone transfer. It just so happens
that it is very rare that a lookup occurs over TCP, but is is possible.
So if you're concerned about security and not breaking things, your best
bet is to use the security features in BIND or whatever software you're
using to limit zone transfers to specific hosts rather than the firewall.
Realize however that this will also make you more vulnerable to
bufferoverflow attacks in BIND so it's imperative that you run BIND
chrooted and keep it up todate.
--
Aaron Turner [EMAIL PROTECTED] 650.237.0300 x252
Security Engineer Vicinity Corp.
Cell: 408-314-9874 http://www.vicinity.com
On Sun, 16 Jul 2000, Jack Coates wrote:
>
> TCP 53 is for zone transfers, UDP 53 is for lookups. The originator of
> either request will be coming from an unspecified port above 1024.
>
>
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
