[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Ports to block?

On Thu, Apr 05, 2001 at 09:38:46PM +0100, Steve Ball wrote:
> If you run a web server then open port 80 tcp, if you have SMTP inbound 
> email then open port 25 tcp, if you run your own DNS for your domain 
> then open port 53 udp.

You're going to be upset the first time you hit a site that has enough
information in the DNS response to break the UDP size limit.  BIND
will switch to TCP and you will drop the packets.

Lots of A records in a round-robin type situation or lots of NS records
in a response and BIND will switch to TCP to get the answer.

[Ever wonder why there's so few root servers?  The NS answer has to stay
within the UDP packet size limit for a single packet or some old
severely broken resolvers can't get the NS records for the
root-servers.net zone!]

And if you're really running your own DNS, you may need TCP open for
zone transfers to your secondary nameserver off-site.  (You *do* have an
off-site secondary, right?  On a different network?  ;-) )

-- 
Nate Duehr <nate@natetech.com>

GPG Key fingerprint = DCAF 2B9D CC9B 96FA 7A6D AAF4 2D61 77C5 7ECE C1D2
Public Key available upon request, or at wwwkeys.pgp.net and others.
Reply to: