[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] DNS TCP
In my previous email I think I accidentally typed DNS requests over 512k. It was supposed to be 512 bytes. Sorry. I do have to disagree with what appears to be the general consensus here though. FROM A SECURITY standpoint, one should provide the least amount privilege possible while still being able to do what needs to be done. That would include shutting down all services not necessary to provide the desired functionality. Ideally all your internal users would query an internal DNS server which would query an intermediate DNS server in a DMZ, which would then query remote internet DNS servers. Ideally this would only be UDP requests and you would not allow anything but UDP replies inbound. If you find that in your particular case you need to open up some more, do it as carefully and by giving as little as possible. If you need to allow zone transfers, try and partner with particular DNS servers. As a side note, there are more and more ways to protect your DNS servers depending upon which implementation you are running and other third party software. ----- Original Message ----- From: "Joe Pampel" <[email protected]> To: <[email protected]> Sent: Thursday, May 09, 2002 1:01 PM Subject: Re: [FW-1] DNS TCP > Check the archives for the past week or so. There was a long thread about this. > In a nutshell: you need UDP & TCP port 53 open. 53/TCP handles zone transfers as well > as any DNS request over 512 bytes (did I get that right?) if you just run a caching DNS > server you can probably get away with keeping TCP 53 closed, but it *can* cause > problems. For ex I ran our DNS servers with 53/tcp closed at the FW for a *long* time (nearly a year) > and have never had a complaint from any user about reachability. I was lucky. > > >>> "Holland, Stephen" <[email protected]> 05/09/02 11:44AM >>> > Could someone give me a security explanation on the good, bad, need or not > need to open up TCP port 53 to the outside world. Is there a need for TCP > 53, if it should be open to whom (local ISP???), is there EVER a need for > it, if so when and why? > > Thanks for all your replies > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|