From owner-freebsd-security  Mon Aug 23 14: 2:22 1999
Delivered-To: freebsd-security@freebsd.org
Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162])
	by hub.freebsd.org (Postfix) with SMTP id 0A653157D7
	for <freebsd-security@FreeBSD.ORG>; Mon, 23 Aug 1999 14:02:19 -0700 (PDT)
	(envelope-from sthaug@nethelp.no)
Received: (qmail 604 invoked by uid 1001); 23 Aug 1999 21:01:52 +0000 (GMT)
To: freebsd@gndrsh.dnsmgr.net
Cc: nate@mt.sri.com, freebsd-security@FreeBSD.ORG
Subject: Re: IPFW/DNS rules
From: sthaug@nethelp.no
In-Reply-To: Your message of "Mon, 23 Aug 1999 13:53:40 -0700 (PDT)"
References: <199908232053.NAA36241@gndrsh.dnsmgr.net>
X-Mailer: Mew version 1.05+ on Emacs 19.34.2
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Date: Mon, 23 Aug 1999 23:01:50 +0200
Message-ID: <596.935442110@verdi.nethelp.no>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> DNS queries and replies are usually done using udp, if and only if a udp
> query fails well a client even try a tcp query.  You can savely block
> tcp queries, there just shouldn't really be any.

Life isn't that simple, unfortunately. There are some clients out there
that use TCP on a regular basis - early versions of a well known Internet
"server in a box" system based on FreeBSD, for instance :-)

Blocking TCP queries is not recommended.

Steinar Haug, Nethelp consulting, sthaug@nethelp.no


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message