Re: nat and dns

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Jason Opperisano wrote:
find me a response to a client resolver request that doesn't fit in a
single UDP packet, and i'll stop seeing red every time i see someone
recommend allowing TCP 53 from any IP to their DNS server (*).

Theoretically (since I don't know of any such implementation), it is perfectly legal to have resolver library that first tries TCP, and than UDP :-P


Of course, such approach would be waste of network resources (sending one UDP datagram one way, and another the other way is usually at least as fast as only establishihg new TCP connection without sending any data through it).

Anyhow, I don't see why are you going red when you see TCP port 53 open? If it is possible for random internet site to fetch zone from DNS server, it is misconfiguration of DNS server, not of the firewall. OSI layers and all that stuff, you know ;-). If your DNS server does not allow you to restrict who can do zone transfers, that you should seriously consider switching to different DNS server that does. It is the same as if you were to restrict one directory on HTTP server to only certain range of IP addresses, and than blame it on firewall when you misconfigure HTTP server.

--
Aleksandar Milivojevic <amilivojevic@xxxxxx>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux