Date: Fri, 24 Mar 2000 04:33:34 +0200 From: Giorgos Keramidas <keramida@ceid.upatras.gr> To: Kevin Oberman <oberman@es.net> Cc: J A Shamsi <jashamsi@yahoo.com>, freebsd-questions@FreeBSD.ORG Subject: Re: DNS and FIREWALL Message-ID: <20000324043334.C303@hades.hell.gr> In-Reply-To: <200003240019.QAA22485@ptavv.es.net>; from oberman@es.net on Thu, Mar 23, 2000 at 04:19:31PM -0800 References: <20000324013459.I654@hades.hell.gr> <200003240019.QAA22485@ptavv.es.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Mar 23, 2000 at 04:19:31PM -0800, Kevin Oberman wrote: > > From: Giorgos Keramidas <keramida@ceid.upatras.gr> > > > > Being selective on who gets allowed to connect to port tcp/53 is > > not a bad thing. For instance if you just want your named to > > play secondary for some zone, no need to allow incoming tcp/53 > > connections. You can make your named use a non-priviledged > > ephemeral port for queries, and allow only outgoing connections to > > tcp/53. > > I'm afraid that this is a very bad idea. The specifications are > explicit that a UDP transfer is tried (except for zone transfers) > and, if the data is too large for a UDP transfer (512 octets), a TCP > connection is made. The 512 octet limit is specified in the DNS RFC > and BIND enforces this limit. Then, correct me if I'm wrong, but it seems that apart from bandwidth limiting with DUMMYNET, one can not do much to protect a running named from a DoS attack. Is that right? - Giorgos Keramidas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000324043334.C303>