Jason Lewis wrote:
>
> DNS queries are on UDP port 53. TCP port 53 is used for zone transfers. By
> blocking TCP port 53 I can't do zone transfers, but clients can still do
> lookups on UDP 53. Since I have blocked TCP port 53, I have seen a decrease
> in attack attempts on my name servers, primarily because that port isn't
> open. I do still see scans for the DNS ports, but nothing more than a port
> scan.
>
> My question is...Can anyone come up with any pros/cons of doing this?
>
> My name servers are successfully serving my domains, so I don't see a
> downside. Thoughts?
Well, I run a cacheing DNS server, only for myself. I was always
wondering how to stop it from listeing on my ppp (outside world)
interface, since no one on the outside needs to connect to me. I
firewalled as well.
Today i figured out how to keep it listening only on the IPs/interfaces
you want.
I have a dial up box here, which runs the dns server. I have another box
that is NAT'd as well. Anyway here's how i got it to listen only on
127.0.0.1 and 192.168.0.1 :
in /etc/named.conf (this is bind8):
in the options section:
listen-on { 127.0.0.1; 192.168.0.1; };
So now, it doesn't even bother to listen on the ouside world (ppp0).
Other thoughts, if you do need it open to the outside world, would be to
have it use a different listen port. Anything other than 53.
--
http://c64.arcsnet.net/
ICQ UIN 1551505
"The things you own, they end up owning you." - Tylder Durden
This archive was generated by hypermail 2b30 : Mon May 14 2001 - 08:51:52 PDT