From owner-freebsd-security Mon Aug 23 15:17:42 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 86B0614DFC for ; Mon, 23 Aug 1999 15:17:38 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id PAA36434; Mon, 23 Aug 1999 15:16:38 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199908232216.PAA36434@gndrsh.dnsmgr.net> Subject: Re: IPFW/DNS rules In-Reply-To: <596.935442110@verdi.nethelp.no> from "sthaug@nethelp.no" at "Aug 23, 1999 11:01:50 pm" To: sthaug@nethelp.no Date: Mon, 23 Aug 1999 15:16:38 -0700 (PDT) Cc: nate@mt.sri.com, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > DNS queries and replies are usually done using udp, if and only if a udp > > query fails well a client even try a tcp query. You can savely block > > tcp queries, there just shouldn't really be any. > > Life isn't that simple, unfortunately. There are some clients out there > that use TCP on a regular basis - early versions of a well known Internet > "server in a box" system based on FreeBSD, for instance :-) > > Blocking TCP queries is not recommended. It's not a problem for me, but it may be for Nate. Nothing should be doing public quiries to my master DNS servers, they aren't even listed in the SOA for the zones. The outside and public DNS servers do allow TCP to them, but it is logged, and I haven't seen one in a month, so either the above is not very widely deployed, or they have ``fixed'' it. -- Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message