On Sat, 05 May 2001 12:36:05 EDT, Jason Lewis <jlewisat_private> said: > lookups on UDP 53. Since I have blocked TCP port 53, I have seen a decrease > in attack attempts on my name servers, primarily because that port isn't > open. I do still see scans for the DNS ports, but nothing more than a port > scan. > > My question is...Can anyone come up with any pros/cons of doing this? One downside: A proper DNS setup has at least one off-site secondary (as Microsoft found out a while ago when all 4 of their DNS servers got cut off because they were in the same subnet). Make sure you punch a hole in the block for your secondaries. Also, if you have a hosts that has a long list of records, and the packet ends up being more than 512 bytes long, it will end up using TCP. This may not be an issue if you don't have such DNS entries yourself. Make sure you also Do The Right Thing if you have to open an *outbound* connection to somebody else's port 53 because *they* have a long list and you're trying to talk to them. -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
This archive was generated by hypermail 2b30 : Mon May 07 2001 - 21:15:04 PDT