Date: Sat, 29 Jun 1996 10:07:51 -0500 (CDT) From: Alex Nash <alex@zen.nash.org> To: current@FreeBSD.ORG Cc: nate@mt.sri.com, roberto@keltia.freenix.fr Subject: Firewalling DNS TCP (was Re: IPFW bugs?) Message-ID: <199606291507.KAA06356@zen.nash.org>
next in thread | raw e-mail | index | archive | help
ftp://ftp.cert.org/pub/tech_tips/packet_filtering has the following to say about DNS TCP transfers: Because of flaws in the protocol or chronic system administration problems, we recommend that the following services be filtered: DNS zone transfers - socket 53 (TCP) tftpd - socket 69 (UDP) link - socket 87 (TCP) (commonly used by intruders) SunRPC & NFS - socket 111 and 2049 (UDP and TCP) BSD UNIX "r" cmds - sockets 512, 513, and 514 (TCP) lpd - socket 515 (TCP) uucpd - socket 540 (TCP) openwindows - socket 2000 (UDP and TCP) X windows - socket 6000+ (UDP and TCP) We suggest that sites filter socket 53 (TCP) to prevent domain name service zone transfers. Permit access to socket 53 (TCP) only from known secondary domain name servers. This prevents intruders from gaining additional knowledge about the systems connected to your local network. Alex
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199606291507.KAA06356>