Re: Ports to block?
On Thu, Apr 05, 2001 at 09:38:46PM +0100, Steve Ball wrote:
> If you run a web server then open port 80 tcp, if you have SMTP inbound
> email then open port 25 tcp, if you run your own DNS for your domain
> then open port 53 udp.
You're going to be upset the first time you hit a site that has enough
information in the DNS response to break the UDP size limit. BIND
will switch to TCP and you will drop the packets.
Lots of A records in a round-robin type situation or lots of NS records
in a response and BIND will switch to TCP to get the answer.
[Ever wonder why there's so few root servers? The NS answer has to stay
within the UDP packet size limit for a single packet or some old
severely broken resolvers can't get the NS records for the
And if you're really running your own DNS, you may need TCP open for
zone transfers to your secondary nameserver off-site. (You *do* have an
off-site secondary, right? On a different network? ;-) )
Nate Duehr <email@example.com>
GPG Key fingerprint = DCAF 2B9D CC9B 96FA 7A6D AAF4 2D61 77C5 7ECE C1D2
Public Key available upon request, or at wwwkeys.pgp.net and others.