Date: Mon, 23 Aug 1999 15:16:38 -0700 (PDT) From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> To: sthaug@nethelp.no Cc: nate@mt.sri.com, freebsd-security@FreeBSD.ORG Subject: Re: IPFW/DNS rules Message-ID: <199908232216.PAA36434@gndrsh.dnsmgr.net> In-Reply-To: <596.935442110@verdi.nethelp.no> from "sthaug@nethelp.no" at "Aug 23, 1999 11:01:50 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> > DNS queries and replies are usually done using udp, if and only if a udp > > query fails well a client even try a tcp query. You can savely block > > tcp queries, there just shouldn't really be any. > > Life isn't that simple, unfortunately. There are some clients out there > that use TCP on a regular basis - early versions of a well known Internet > "server in a box" system based on FreeBSD, for instance :-) > > Blocking TCP queries is not recommended. It's not a problem for me, but it may be for Nate. Nothing should be doing public quiries to my master DNS servers, they aren't even listed in the SOA for the zones. The outside and public DNS servers do allow TCP to them, but it is logged, and I haven't seen one in a month, so either the above is not very widely deployed, or they have ``fixed'' it. -- Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199908232216.PAA36434>