Re: AW: AW: [suse-security] Bind again
Frank Lederer wrote:
Why are you sure that you need tcp to 53? For normal requests udp is enough. Or am I wrong...
Can i close the 53 TCP? Are you sure? -- www.geekcode.com -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GCS/cc/e/it d++ s+:+ a-- C++$ UL+++$ E++ W+++$ w--- O---- M V- PS PE+++ Y+ PGP- t+ 5 X++ R tv+ b++ DI-- D+ G e++$ h! r++ y++ ------END GEEK CODE BLOCK------ - A veces creo que hay vida en otros planetas, y a veces creo que no. En cualquiera de los dos casos, la conclusión es asombrosa (Carl Sagan) -----------------------------------------------------------------
On Sun, Apr 22, 2001 at 12:12 +0800, Dennis wrote:
If your DNS do not need 'zone transfer', you can close port 53.
Not completely true. DNS queries can be run over UDP as well as TCP. It's just that *usually* queries are UDP packets while transfers are *always* TCP. This doesn't rule out TCP queries, they're just uncommon. They become necessary when the answer won't fit into an UDP packet (think of AOL MX lookups or some other query with a large result, like much aliased machines or many redundant servers in a farm (w/o dedicated load balancers)). One may allow queries via both protocols when serving DNS -- while specifying who's allowed to transfer zones. It's not a packet filter thing but a matter of DNS configuration! virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
-----Mensagem original----- De: Dennis [mailto:dlbt@pacific.net.sg] Enviada em: Saturday, April 21, 2001 9:13 PM Para: hgonzale@celularshow.com; Frank Lederer; suse-security@suse.com Assunto: Re: AW: AW: [suse-security] Bind again If your DNS do not need 'zone transfer', you can close port 53. Dennis/sg
Why are you sure that you need tcp to 53? For normal requests udp is enough. Or am I wrong...
Can i close the 53 TCP? Are you sure? No, you shouldn't. Some DNS requests requires TCP. A zone transfer usually is done with TCP. []s Davi --------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
participants (4)
-
Davi de Castro Reis -
Dennis -
Gerhard Sittig -
Hipolito A. Gonzalez M.