Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] DNS TCP

To: [email protected]
Subject: Re: [FW-1] DNS TCP
From: Bill Osterman <[email protected]>
Date: Thu, 9 May 2002 13:30:12 -0400
References: <[email protected]>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

DNS over TCP is used for two purposes that I know of and unless there is an
established need I would not allow it through your firewall.

It can happen if DNS servers are doing zone transfers.  You should probably
be aware of who you would want to do this with, so if you decided to allow
it through, you should only allow it with specific DNS servers that are
"trusted".

It can also happen when a DNS request returns too much information to fit
into one packet -- which is limited to 512k i think due to initial
implementations of DNS code.  If the information can not fit into the first
packet (which is still sent using DNS/UDP) then it will indicate that in the
first packet and then the "remote" (other) will initiate a DNS/TCP
connection to your server.

Those are the only legitimate purposes and the second case is rare.  Even if
it happens, make sure it is important to the business unit before you allow
it and try and restrict this exchange as much as possible.

It is a bad thing to allow because your DNS servers contain a wealth of
information about any given company.  In some cases, it may even include the
hardware and OS of the systems (although this is rare as well).  If you
allow someone to do zone transfers to or from your DNS servers you are
either allowing your DNS servers to be poisoned or handing over all that
information to someone who is most likely trying  to find a way in.

----- Original Message -----
From: "Holland, Stephen" <[email protected]>
To: <[email protected]>
Sent: Thursday, May 09, 2002 11:44 AM
Subject: [FW-1] DNS TCP


> Could someone give me a security explanation on the good, bad, need or not
> need to open up TCP port 53 to the outside world.  Is there a need for TCP
> 53, if it should be open to whom (local ISP???), is there EVER a need for
> it, if so when and why?
>
> Thanks for all your replies
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Follow-Ups:
- Re: [FW-1] DNS TCP
  - From: Don <[email protected]>

References:
- [FW-1] DNS TCP
  - From: "Holland, Stephen" <[email protected]>

Prev by Date: Re: [FW-1] DNS TCP
Next by Date: Re: [FW-1] NG FP2 Secure Remote
Previous by thread: Re: [FW-1] DNS TCP
Next by thread: Re: [FW-1] DNS TCP
Index(es):
- Date
- Thread