Re: Problems with IP tables firewall (DNS and what the heck is this WinME box doing)
> On Thu, Jun 07, 2001 at 08:48:54AM +0100, Robert Davies wrote:
> [snip]
> > Bind8 changed to query other servers, from a non-privileged
> > port. So you may well need either to invoke the 'use
> > privileged port option' in /etc/named.conf, or (better) to
> > allow outgoing packets with a destination port of 53.
> >
> > The TCP/IP connection is used for things like zone transfers,
> > so you may be better to restrict that to other known name
> > servers.
> [snip]
>
> AFAIK, TCP is used to zone transfers and also other large
> queries. Not sure what "large" is defined as, though. i.e. by
> blocking TCP port 53, most things will work, but there's a
> chance that some large queries will not work.
>
> Maybe someone else can comment...
DNS query packets are designed to be small, they pack domain names for
example.
Large transfers are things like ls the domain in nslookup, I think it is
explained in the BOG.
Some of the security problems of BIND have been due to using the hints, that
are included to allow reduction of the number of queries, giving addresses
of servers, and using non-authoriative data, filling out the answer to an
amount that fits easily in one UDP packet, and is faster than many round
trips of very small packets.
It is the DNS server-server transfers that can be (legitimately) large, and
use a TCP/IP stream. Thus you need it to contact primary/secondaries, or
perhaps not at all. I think this has caught out firewaller's in the past,
though normal queries functioned in normal way.
Just wanted to clear up what I was suggesting, I realise it would break some
features of nslookup(8).
Rob
Reply to: