[lug] TCP port 53?
rm at fabula.de
rm at fabula.de
Wed Jul 21 05:13:29 MDT 2004
On Wed, Jul 21, 2004 at 05:07:03AM -0600, Jonathan wrote:
> On Tue, 20 Jul 2004 Dan Ferris wrote:
>
> > You don't have to open tcp 53 for regular DNS, only for servers that
> > will be doing zone xfers (secondary servers).
>
> You seem to have missed the last several posts.
> [...]
>
> With the usage of large numbers of servers for load-balancing and name
> servers for redundancy the need for TCP can be encountered in the
> wild. On a day to day basis most queries will work without it, but
> when they start failing it's easy to overlook why. You don't gain
> anything real in security by blocking tcp/53 and you do lose some
> amount of reliability & interoperability.
>
I'd second that. Closing _destination_ port 53/protocol TCP is asking for
trouble. Esp. since newer uses of DNS will make "oversized" DNS replies
rather common (not only load balancing servers or MX records for the handfull
of surviving mail providers - DNS-Sec and key distribution will produce
rather large response packages).
just my 0.02 $
Ralf Mattes
> --
> Jonathan Conway rise at knavery.net
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
More information about the LUG
mailing list