Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Rich Wilson (wk633yahoo.com)
Date: Fri Jun 29 2001 - 13:57:17 CDT
It is not true that DNS only uses TCP for zone transfers. TCP is certainly
used for anything larger than 512 bytes. My experience with blocking TCP 53 is
that _most_ things work, but having some lookups break isn't worth the minor
risk involved of allowing a machine to initiate outbound TCP connections. If
you have good port filtering, you can require the response to be established
for TCP back in.
--- Symen Mulders <symenmlakechamplain.com> wrote:
> > Since the machine unique goal is to handle DNS traffic I configure the
> > following:
> > On TCP Field Permit Only TCP 53
> > On UDP Field Permit Only UDP 53
> > On IP Field Permit All
> Does your DNS service need to allow zone transfers, i.e. to a secondary DNS
> server? If not, you don't need to allow traffic on 53/tcp, as 53/udp is all
> that is necessary for basic lookups.
> Also, be aware that the Windows NT DNS service is really only designed to be
> a backend to a domain controller, so if you need a full-fledged DNS server, I
> recommend using DJBDNS (it is much more secure than BIND) on some sort of
> Unix system (I would recommend OpenBSD, as it is also very secure). Check
> out DJBDNS at http://cr.yp.to/djbdns.html.
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail