It is not true that DNS only uses TCP for zone transfers. TCP is certainly
used for anything larger than 512 bytes. My experience with blocking TCP 53 is
that _most_ things work, but having some lookups break isn't worth the minor
risk involved of allowing a machine to initiate outbound TCP connections. If
you have good port filtering, you can require the response to be established
for TCP back in.

--- Symen Mulders <symenmlakechamplain.com> wrote:
> > Since the machine unique goal is to handle DNS traffic I configure the
> > following:
> >
> > On TCP Field Permit Only TCP 53
> > On UDP Field Permit Only UDP 53
> > On IP Field Permit All
> >
>
> Does your DNS service need to allow zone transfers, i.e. to a secondary DNS
> server? If not, you don't need to allow traffic on 53/tcp, as 53/udp is all
> that is necessary for basic lookups.
>
> Also, be aware that the Windows NT DNS service is really only designed to be
> a backend to a domain controller, so if you need a full-fledged DNS server, I
>
> recommend using DJBDNS (it is much more secure than BIND) on some sort of
> Unix system (I would recommend OpenBSD, as it is also very secure). Check
> out DJBDNS at http://cr.yp.to/djbdns.html.

__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]