From owner-freebsd-security Mon Aug 23 14: 9:19 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns.mt.sri.com (ns.mt.sri.com [206.127.79.91]) by hub.freebsd.org (Postfix) with ESMTP id 0045B15769 for ; Mon, 23 Aug 1999 14:09:15 -0700 (PDT) (envelope-from nate@mt.sri.com) Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.8.8/8.8.8) with SMTP id PAA02920; Mon, 23 Aug 1999 15:09:13 -0600 (MDT) (envelope-from nate@rocky.mt.sri.com) Received: by mt.sri.com (SMI-8.6/SMI-SVR4) id PAA02237; Mon, 23 Aug 1999 15:09:12 -0600 Date: Mon, 23 Aug 1999 15:09:12 -0600 Message-Id: <199908232109.PAA02237@mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: sthaug@nethelp.no Cc: freebsd@gndrsh.dnsmgr.net, nate@mt.sri.com, freebsd-security@FreeBSD.ORG Subject: Re: IPFW/DNS rules In-Reply-To: <596.935442110@verdi.nethelp.no> References: <199908232053.NAA36241@gndrsh.dnsmgr.net> <596.935442110@verdi.nethelp.no> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Reply-To: nate@mt.sri.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > DNS queries and replies are usually done using udp, if and only if a udp > > query fails well a client even try a tcp query. You can savely block > > tcp queries, there just shouldn't really be any. > > Life isn't that simple, unfortunately. There are some clients out there > that use TCP on a regular basis - early versions of a well known Internet > "server in a box" system based on FreeBSD, for instance :-) > > Blocking TCP queries is not recommended. I may just 'log' TCP queries then, to see what's what. If I never get any hits, I will probably later on block them. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message