On Thursday 06 June 2002 2:48 pm, Raymond Leach wrote: > On Thursday 06 June 2002 15:45, Maciej Soltysiak wrote:
> > Using netfilter you can not judge whether TCP:53 packet is a zone > > transfer or just a query. > > If you only expect to receive queries from internal interfaces then there > should be no 'queries' from external sources. Your statement is correct, however it does not help when you are running a domain name server which does need to be accessible from the outside, but you only want people to do standard lookups, and not zone transfers. I agree with Maciej - you should set appropriate access controls on the name server itself, because netfilter cannot do it for you. Antony.
