From owner-freebsd-chat  Sat Jun 29 09:51:52 1996
Return-Path: owner-chat
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id JAA14088
          for chat-outgoing; Sat, 29 Jun 1996 09:51:52 -0700 (PDT)
Received: from irz301.inf.tu-dresden.de (irz301.inf.tu-dresden.de [141.76.1.11])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id JAA14083
          for <chat@freebsd.org>; Sat, 29 Jun 1996 09:51:49 -0700 (PDT)
Received: from sax.sax.de by irz301.inf.tu-dresden.de (8.6.12/8.6.12-s1) with ESMTP id SAA05847; Sat, 29 Jun 1996 18:50:47 +0200
Received: (from uucp@localhost) by sax.sax.de (8.6.12/8.6.12-s1) with UUCP id SAA17308; Sat, 29 Jun 1996 18:50:47 +0200
Received: (from j@localhost) by uriah.heep.sax.de (8.7.5/8.6.9) id SAA29276; Sat, 29 Jun 1996 18:33:36 +0200 (MET DST)
From: J Wunsch <j@uriah.heep.sax.de>
Message-Id: <199606291633.SAA29276@uriah.heep.sax.de>
Subject: Re: Firewalling DNS TCP (was Re: IPFW bugs?)
To: chat@freebsd.org
Date: Sat, 29 Jun 1996 18:33:35 +0200 (MET DST)
Cc: nate@mt.sri.com, roberto@keltia.freenix.fr, nash@mcs.com
Reply-To: joerg_wunsch@uriah.heep.sax.de (Joerg Wunsch)
In-Reply-To: <199606291507.KAA06356@zen.nash.org> from Alex Nash at "Jun 29, 96 10:07:51 am"
X-Phone: +49-351-2012 669
X-PGP-Fingerprint: DC 47 E6 E4 FF A6 E9 8F  93 21 E0 7D F9 12 D6 4E 
X-Mailer: ELM [version 2.4ME+ PL17 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-chat@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

(Moved to -chat since it's of political, not technical nature. :)

As Alex Nash wrote:

>    We suggest that sites filter socket 53 (TCP) to prevent domain
>    name service zone transfers.  Permit access to socket 53 (TCP)
>    only from known secondary domain name servers.  This prevents
>    intruders from gaining additional knowledge about the systems
>    connected to your local network.

I think that idea is fundamentally flawed. :-)

I usually transfer DNS zone files if i think this will take load off
my line (e.g. for zones i know i'm referencing quite often).  DNS is a
_public service_, and if local sites have something you can learn from
a DNS zone transfer, this is rather an indication that there's
something else broken at this site.  E.g., they are using a firewall
to hide the administrative chaos they've got in their local network,
and thus don't want you to know about the local hosts -- but of
course, you are a clever Bad Guy, thus you do already know which hosts
they've got and which are vulnerable, and to the least, you know how
to get this information even without the support of their DNS
server. <:)

Further, the above statement is moot if the ``known secondary domain
name servers'' don't do the same policy, and if they are not sure
whether all their ``known secondary domain name servers'' are beyond
suspicion that they do also filter port 53 etc...

``Firewalls are a lame excuse for total lack of local system
administration.'' :)

-- 
cheers, J"org

joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE
Never trust an operating system you don't have sources for. ;-)