From owner-freebsd-current  Sat Jun 29 19:03:42 1996
Return-Path: owner-current
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id TAA02272
          for current-outgoing; Sat, 29 Jun 1996 19:03:42 -0700 (PDT)
Received: from who.cdrom.com (who.cdrom.com [204.216.27.3])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id TAA02248
          for <current@FreeBSD.ORG>; Sat, 29 Jun 1996 19:03:38 -0700 (PDT)
Received: from mexico.brainstorm.eu.org (root@mexico.brainstorm.eu.org [193.56.58.253])
          by who.cdrom.com (8.6.12/8.6.11) with ESMTP id PAA19860
          for <current@FreeBSD.ORG>; Sat, 29 Jun 1996 15:59:04 -0700
Received: from brasil.brainstorm.eu.org (brasil.brainstorm.eu.org [193.56.58.33]) by mexico.brainstorm.eu.org (8.7.5/8.7.3) with ESMTP id AAA00430; Sun, 30 Jun 1996 00:53:36 +0200
Received: (from uucp@localhost) by brasil.brainstorm.eu.org (8.6.12/8.6.12) with UUCP id AAA01039; Sun, 30 Jun 1996 00:53:28 +0200
Received: (from roberto@localhost) by keltia.freenix.fr (8.8.Alpha.5/keltia-uucp-2.8) id AAA01405; Sun, 30 Jun 1996 00:51:44 +0200 (MET DST)
From: Ollivier Robert <roberto@keltia.freenix.fr>
Message-Id: <199606292251.AAA01405@keltia.freenix.fr>
Subject: Re: Firewalling DNS TCP (was Re: IPFW bugs?)
To: nash@mcs.com
Date: Sun, 30 Jun 1996 00:51:43 +0200 (MET DST)
Cc: current@FreeBSD.ORG, nate@mt.sri.com
In-Reply-To: <199606291507.KAA06356@zen.nash.org> from Alex Nash at "Jun 29, 96 10:07:51 am"
X-Operating-System: FreeBSD 2.2-CURRENT ctm#2111
X-Mailer: ELM [version 2.4ME+ PL22 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-current@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

It seems that Alex Nash said:
>    We suggest  that sites filter socket  53 (TCP)  to prevent domain name
>    service zone  transfers.  Permit access to socket  53  (TCP) only from
>    known secondary  domain  name servers.   This prevents  intruders from
>    gaining additional

I'm afraid I don't agree in theoria (sp?).

In practice, if you  really  want  to stop   people getting  your  internal
network, it is far easier to install a double DNS (private and public) than
trying to  restrict zone  transfert  with IP filtering.  You  would have to
insure that your secondaries also restrict zone transfert.

Example: almost  all .FR servers  in  France restrict zone  transfert. Just
take PRINCETON.EDU and do "dig axfr .FR." from it...

You can filter zone transfert directly from /etc/named.boot (xfrnets).

In  practice, if you're sure  no query can be of  more than 512 bytes, then
you can cut TCP/53. BUt IMO you don't gain that much.

-- 
Ollivier ROBERT    -=- The daemon is FREE! -=-    roberto@keltia.freenix.fr
FreeBSD keltia.freenix.fr 2.2-CURRENT #11: Thu Jun 13 11:01:47 MET DST 1996