From owner-freebsd-questions Thu Mar 23 18:49:36 2000 Delivered-To: freebsd-questions@freebsd.org Received: from mail.hellasnet.gr (mail.hellasnet.gr [212.54.192.3]) by hub.freebsd.org (Postfix) with ESMTP id D39B937B563 for ; Thu, 23 Mar 2000 18:49:03 -0800 (PST) (envelope-from keramida@ceid.upatras.gr) Received: from hades.hell.gr (ppp1.patr.hellasnet.gr [212.54.197.16]) by mail.hellasnet.gr (8.9.1/8.9.1) with ESMTP id EAA11321; Fri, 24 Mar 2000 04:48:03 +0200 (GMT) Received: (from charon@localhost) by hades.hell.gr (8.9.3/8.9.3) id EAA01607; Fri, 24 Mar 2000 04:33:34 +0200 (EET) (envelope-from keramida@ceid.upatras.gr) Date: Fri, 24 Mar 2000 04:33:34 +0200 From: Giorgos Keramidas To: Kevin Oberman Cc: J A Shamsi , freebsd-questions@FreeBSD.ORG Subject: Re: DNS and FIREWALL Message-ID: <20000324043334.C303@hades.hell.gr> Reply-To: keramida@ceid.upatras.gr References: <20000324013459.I654@hades.hell.gr> <200003240019.QAA22485@ptavv.es.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <200003240019.QAA22485@ptavv.es.net>; from oberman@es.net on Thu, Mar 23, 2000 at 04:19:31PM -0800 X-PGP-Fingerprint: 62 45 D1 C9 26 F9 95 06 D6 21 2A C8 8C 16 C0 8E Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, Mar 23, 2000 at 04:19:31PM -0800, Kevin Oberman wrote: > > From: Giorgos Keramidas > > > > Being selective on who gets allowed to connect to port tcp/53 is > > not a bad thing. For instance if you just want your named to > > play secondary for some zone, no need to allow incoming tcp/53 > > connections. You can make your named use a non-priviledged > > ephemeral port for queries, and allow only outgoing connections to > > tcp/53. > > I'm afraid that this is a very bad idea. The specifications are > explicit that a UDP transfer is tried (except for zone transfers) > and, if the data is too large for a UDP transfer (512 octets), a TCP > connection is made. The 512 octet limit is specified in the DNS RFC > and BIND enforces this limit. Then, correct me if I'm wrong, but it seems that apart from bandwidth limiting with DUMMYNET, one can not do much to protect a running named from a DoS attack. Is that right? - Giorgos Keramidas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message