From owner-freebsd-current  Sat Jun 29 08:08:12 1996
Return-Path: owner-current
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id IAA07618
          for current-outgoing; Sat, 29 Jun 1996 08:08:12 -0700 (PDT)
Received: from zen.nash.org (nash.pr.mcs.net [204.95.47.72])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id IAA07557
          for <current@FreeBSD.ORG>; Sat, 29 Jun 1996 08:07:36 -0700 (PDT)
Received: (from alex@localhost) by zen.nash.org (8.7.5/8.6.12) id KAA06356; Sat, 29 Jun 1996 10:07:51 -0500 (CDT)
Date: Sat, 29 Jun 1996 10:07:51 -0500 (CDT)
Message-Id: <199606291507.KAA06356@zen.nash.org>
From: Alex Nash <alex@zen.nash.org>
To: current@FreeBSD.ORG
Cc: nate@mt.sri.com, roberto@keltia.freenix.fr
Subject: Firewalling DNS TCP (was Re: IPFW bugs?)
Reply-to: nash@mcs.com
Sender: owner-current@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

ftp://ftp.cert.org/pub/tech_tips/packet_filtering has the following 
to say about DNS TCP transfers:

   Because of flaws in the protocol or chronic system administration
   problems, we recommend that the following services be filtered:
   
           DNS zone transfers - socket 53 (TCP)
           tftpd              - socket 69 (UDP)
           link               - socket 87 (TCP) (commonly used by intruders)
           SunRPC & NFS       - socket 111 and 2049 (UDP and TCP)
           BSD UNIX "r" cmds  - sockets 512, 513, and 514 (TCP)
           lpd                - socket 515 (TCP)
           uucpd              - socket 540 (TCP)
           openwindows        - socket 2000 (UDP and TCP)
           X windows          - socket 6000+ (UDP and TCP)
   
   We suggest that sites filter socket 53 (TCP) to prevent domain name service
   zone transfers.  Permit access to socket 53 (TCP) only from known secondary
   domain name servers.  This prevents intruders from gaining additional
   knowledge about the systems connected to your local network.

Alex