From owner-freebsd-security Mon Jul 27 03:12:51 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA17628 for freebsd-security-outgoing; Mon, 27 Jul 1998 03:12:51 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id DAA17535 for ; Mon, 27 Jul 1998 03:12:30 -0700 (PDT) (envelope-from sthaug@nethelp.no) From: sthaug@nethelp.no Received: (qmail 27148 invoked by uid 1001); 27 Jul 1998 10:12:00 +0000 (GMT) To: jkb@best.com Cc: netadmin@fastnet.co.uk, security@FreeBSD.ORG Subject: Re: ipfw rules to allow DNS activity In-Reply-To: Your message of "Mon, 27 Jul 1998 01:48:00 -0700 (PDT)" References: X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Mon, 27 Jul 1998 12:12:00 +0200 Message-ID: <27146.901534320@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > DNS uses UDP for resolver queries (most of the time). > DNS used TCP for zone transfers (always). > > If you don't want to allow zone transfer from that computer, don't > worry about allowing TCP as long as your DNS response will never exceed > 512 bytes. > (yes I know one can also use xfrnets to stop unauthorized zone > transfers but this is ipfw talk *grin*) Use the tools appropriate for the job. In this case, it's much better to use BIND 8, which allows you fine grained control over zone transfers. It's not a good idea to block TCP port 53, because you may get TCP queries even if you don't have answers exceeding 512 bytes. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message