Prot Src Dst Use udp 53 53 Queries between servers (eg, recursive queries) Replies to above tcp 53 53 Queries with long replies between servers, zone transfers Replies to above udp >1023 53 Client queries (sendmail, nslookup, etc ...) udp 53 >1023 Replies to above tcp >1023 53 Client queries with long replies tcp 53 >1023 Replies to above
Note: >1023 is for non-priv ports on Unix clients. On other client types, the limit may be more or less. In other words, if you lock down all but port 53 TCP/UDP you will find that the DNS server is speaking just fine to everyone, but your DNS clients cannot hear answers even though the query has been sent out on 53, the answer has come back somewhere above 1023. BIND 8.x no longer uses port 53 as the source port for recursive queries, nor uses it as the destination port for corresponding replies. By default it uses a random port >1023, although you can configure a specific port (and it be port 53 if you want). Another point to keep in mind when designing filters for DNS is that a DNS server uses port 53 both as the source and destination for its queries. So, a client queries an initial server from an unreserved port number to UDP port 53. If the server needs to query another server to get the required info, it sends a UDP query to that server with both source and destination ports set to 53. The response is then sent with the same src=53 dest=53 to the first server which then responds to the original client from port 53 to the original source port number. The point of all this is that putting in filters to only allow UDP between a high port and port 53 will not work correctly, you must also allow the port 53 to port 53 UDP to get through. Also, ALL versions of BIND use TCP for queries in some cases. The original query is tried using UDP. If the response is longer than the allocated buffer, the resolver will retry the query using a TCP connection. If you block access to TCP port 53 as suggested above, you may find that some things don't work. Newer version of BIND allow you to configure a list of IP addresses from which to allow zone transfers. This mechanism can be used to prevent people from outside downloading your entire namespace. http://screamer.mobrien.com/Manuals/MPRM_Group/dns_notes.html http://lyris.iislists.com/articles/dns_for_iis.htm http://www.microsoft.com/windows2000/techinfo/howitworks/communications/name adrmgmt/w2kdns.asp _____________________ Dave Kleiman [EMAIL PROTECTED] www.netmedic.net "High achievement always takes place in the framework of high expectation." Jack Kinder >Yes it is possible if you allow any host(ip address) to do zone >transfers. Most name server daemons allow you to specify what hosts you >want to allow to request transfers, and block all others. You can also >block TCP port 53, and only allowing UDP port 53 with an ACL or >Firewall ruleset. I do both. Careful.. blocking TCP 53 might break certain Microsoft-sw DNS lookups. Apparently, Exchange, IIS and other MS software has a tendency of using TCP 53 for their DNS queries. (Requests too large for a UDP packet) You're also breaking the RFC (1035), which specifies that both TCP and UDP should be left open. Cheers, Anders :) --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------