Date: Mon, 27 Jul 1998 12:12:00 +0200 From: sthaug@nethelp.no To: jkb@best.com Cc: netadmin@fastnet.co.uk, security@FreeBSD.ORG Subject: Re: ipfw rules to allow DNS activity Message-ID: <27146.901534320@verdi.nethelp.no> In-Reply-To: Your message of "Mon, 27 Jul 1998 01:48:00 -0700 (PDT)" References: <Pine.BSF.3.96.980727013412.470A-100000@shell6.ba.best.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> DNS uses UDP for resolver queries (most of the time). > DNS used TCP for zone transfers (always). > > If you don't want to allow zone transfer from that computer, don't > worry about allowing TCP as long as your DNS response will never exceed > 512 bytes. > (yes I know one can also use xfrnets to stop unauthorized zone > transfers but this is ipfw talk *grin*) Use the tools appropriate for the job. In this case, it's much better to use BIND 8, which allows you fine grained control over zone transfers. It's not a good idea to block TCP port 53, because you may get TCP queries even if you don't have answers exceeding 512 bytes. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?27146.901534320>