Re: [suse-security] dns zone x-fers on tcp 53
What is the reason for installing pri dns server in a self owned DMZ and sec dns server at the isp? Convenience - you can manipulate the zones easier. If the firewall ist not stateful this enables inet users to do dns probes on tcp 53 and other worse things. why? you can block tcp port 53 for everyone except the ip of the secondary NS.
bye Markus -- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.dhs.org X Against HTML Mail / \
On Wed, Mar 28, 2001 at 14:54 +0200, Markus Gaugusch wrote:
What is the reason for installing pri dns server in a self owned DMZ and sec dns server at the isp? Convenience - you can manipulate the zones easier. If the firewall ist not stateful this enables inet users to do dns probes on tcp 53 and other worse things. why? you can block tcp port 53 for everyone except the ip of the secondary NS.
Plus any decent name server software lets you control who's able to do transfers (independent on who's allowed to query you by means of TCP). Remember, DNS queries don't run on UDP only! virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
participants (2)
-
Gerhard Sittig
-
Markus Gaugusch