From owner-freebsd-current Mon Jul 1 10:44:54 1996 Return-Path: owner-current Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id KAA15432 for current-outgoing; Mon, 1 Jul 1996 10:44:54 -0700 (PDT) Received: from alpha.xerox.com (alpha.Xerox.COM [13.1.64.93]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id KAA15418 for ; Mon, 1 Jul 1996 10:44:51 -0700 (PDT) Received: from crevenia.parc.xerox.com ([13.2.116.11]) by alpha.xerox.com with SMTP id <14477(1)>; Mon, 1 Jul 1996 10:44:07 PDT Received: from localhost ([127.0.0.1]) by crevenia.parc.xerox.com with SMTP id <177476>; Mon, 1 Jul 1996 10:43:57 -0700 X-Mailer: exmh version 1.6.7 5/3/96 To: nash@mcs.com cc: current@freebsd.org, nate@mt.sri.com, roberto@keltia.freenix.fr Subject: Re: Firewalling DNS TCP (was Re: IPFW bugs?) In-reply-to: Your message of "Sat, 29 Jun 1996 08:07:51 PDT." <199606291507.KAA06356@zen.nash.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 1 Jul 1996 10:43:51 PDT From: Bill Fenner Message-Id: <96Jul1.104357pdt.177476@crevenia.parc.xerox.com> Sender: owner-current@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message <199606291507.KAA06356@zen.nash.org>you write: >ftp://ftp.cert.org/pub/tech_tips/packet_filtering has the following >to say about DNS TCP transfers: > > Because of flaws in the protocol or chronic system administration > problems, we recommend that the following services be filtered: > > DNS zone transfers - socket 53 (TCP) If you can be sure that your DNS server will never return an answer that's too big to fit in a UDP packet, then go ahead and filter port 53. If you have lots of name servers, lots of MX'ers, or lots of A records for any given name, then you will lose big if you filter TCP port 53. This recommendation is a "chronic sysadmin problem", not a protocol problem -- just add an xfrnets directive to your named.boot and you will solve the security problem without breaking the protocol. Bill