Date: Sun, 30 Jun 1996 00:51:43 +0200 (MET DST) From: Ollivier Robert <roberto@keltia.freenix.fr> To: nash@mcs.com Cc: current@FreeBSD.ORG, nate@mt.sri.com Subject: Re: Firewalling DNS TCP (was Re: IPFW bugs?) Message-ID: <199606292251.AAA01405@keltia.freenix.fr> In-Reply-To: <199606291507.KAA06356@zen.nash.org> from Alex Nash at "Jun 29, 96 10:07:51 am"
next in thread | previous in thread | raw e-mail | index | archive | help
It seems that Alex Nash said: > We suggest that sites filter socket 53 (TCP) to prevent domain name > service zone transfers. Permit access to socket 53 (TCP) only from > known secondary domain name servers. This prevents intruders from > gaining additional I'm afraid I don't agree in theoria (sp?). In practice, if you really want to stop people getting your internal network, it is far easier to install a double DNS (private and public) than trying to restrict zone transfert with IP filtering. You would have to insure that your secondaries also restrict zone transfert. Example: almost all .FR servers in France restrict zone transfert. Just take PRINCETON.EDU and do "dig axfr .FR." from it... You can filter zone transfert directly from /etc/named.boot (xfrnets). In practice, if you're sure no query can be of more than 512 bytes, then you can cut TCP/53. BUt IMO you don't gain that much. -- Ollivier ROBERT -=- The daemon is FREE! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 2.2-CURRENT #11: Thu Jun 13 11:01:47 MET DST 1996
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199606292251.AAA01405>