Re: Ports to block?
On Thu, Apr 05, 2001 at 09:38:46PM +0100, Steve Ball wrote:
> If you run a web server then open port 80 tcp, if you have SMTP inbound
> email then open port 25 tcp, if you run your own DNS for your domain
> then open port 53 udp.
You're going to be upset the first time you hit a site that has enough
information in the DNS response to break the UDP size limit. BIND
will switch to TCP and you will drop the packets.
Lots of A records in a round-robin type situation or lots of NS records
in a response and BIND will switch to TCP to get the answer.
[Ever wonder why there's so few root servers? The NS answer has to stay
within the UDP packet size limit for a single packet or some old
severely broken resolvers can't get the NS records for the
root-servers.net zone!]
And if you're really running your own DNS, you may need TCP open for
zone transfers to your secondary nameserver off-site. (You *do* have an
off-site secondary, right? On a different network? ;-) )
--
Nate Duehr <nate@natetech.com>
GPG Key fingerprint = DCAF 2B9D CC9B 96FA 7A6D AAF4 2D61 77C5 7ECE C1D2
Public Key available upon request, or at wwwkeys.pgp.net and others.
Reply to: