Date: Mon, 1 Jul 1996 10:43:51 PDT From: Bill Fenner <fenner@parc.xerox.com> To: nash@mcs.com Cc: current@freebsd.org, nate@mt.sri.com, roberto@keltia.freenix.fr Subject: Re: Firewalling DNS TCP (was Re: IPFW bugs?) Message-ID: <96Jul1.104357pdt.177476@crevenia.parc.xerox.com> In-Reply-To: Your message of "Sat, 29 Jun 1996 08:07:51 PDT." <199606291507.KAA06356@zen.nash.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <199606291507.KAA06356@zen.nash.org>you write: >ftp://ftp.cert.org/pub/tech_tips/packet_filtering has the following >to say about DNS TCP transfers: > > Because of flaws in the protocol or chronic system administration > problems, we recommend that the following services be filtered: > > DNS zone transfers - socket 53 (TCP) If you can be sure that your DNS server will never return an answer that's too big to fit in a UDP packet, then go ahead and filter port 53. If you have lots of name servers, lots of MX'ers, or lots of A records for any given name, then you will lose big if you filter TCP port 53. This recommendation is a "chronic sysadmin problem", not a protocol problem -- just add an xfrnets directive to your named.boot and you will solve the security problem without breaking the protocol. Bill
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?96Jul1.104357pdt.177476>