Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 23 Aug 1999 15:16:38 -0700 (PDT)
From:      "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>
To:        sthaug@nethelp.no
Cc:        nate@mt.sri.com, freebsd-security@FreeBSD.ORG
Subject:   Re: IPFW/DNS rules
Message-ID:  <199908232216.PAA36434@gndrsh.dnsmgr.net>
In-Reply-To: <596.935442110@verdi.nethelp.no> from "sthaug@nethelp.no" at "Aug 23, 1999 11:01:50 pm"

next in thread | previous in thread | raw e-mail | index | archive | help
> > DNS queries and replies are usually done using udp, if and only if a udp
> > query fails well a client even try a tcp query.  You can savely block
> > tcp queries, there just shouldn't really be any.
> 
> Life isn't that simple, unfortunately. There are some clients out there
> that use TCP on a regular basis - early versions of a well known Internet
> "server in a box" system based on FreeBSD, for instance :-)
> 
> Blocking TCP queries is not recommended.

It's not a problem for me, but it may be for Nate.  Nothing should
be doing public quiries to my master DNS servers, they aren't even
listed in the SOA for the zones.  The outside and public DNS servers
do allow TCP to them, but it is logged, and I haven't seen one in
a month, so either the above is not very widely deployed, or they
have ``fixed'' it.


-- 
Rod Grimes - KD7CAX - (RWG25)                    rgrimes@gndrsh.dnsmgr.net


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199908232216.PAA36434>