On 12/20/05, Buzz Kill <[EMAIL PROTECTED]> wrote: > A quick look at RFC 1034 & 1035 shows how DNS works. Most setups > (I'd say 99%) will need both of these ports open, assuming you want > the world to access services running within your domain that rely on > DNS & Bind (which is like 99% of them).
Actually, I'd venture that 99% of installations are not hosting authoritative DNS for Internet domains, do not need to permit the world to make inbound queries. In such a deployment, you can run a caching DNS service, permit internal clients to make queries only to the local cache, only the local cache is permitted to initiate outbound queries on UDP and TCP 53. OpenBSD ships with an example BIND configuration for this as /var/named/etc/named-simple.conf Kevin
