Jason Lewis wrote: > > DNS queries are on UDP port 53. TCP port 53 is used for zone transfers. By > blocking TCP port 53 I can't do zone transfers, but clients can still do > lookups on UDP 53. Since I have blocked TCP port 53, I have seen a decrease > in attack attempts on my name servers, primarily because that port isn't > open. I do still see scans for the DNS ports, but nothing more than a port > scan. > > My question is...Can anyone come up with any pros/cons of doing this? > > My name servers are successfully serving my domains, so I don't see a > downside. Thoughts? Well, I run a cacheing DNS server, only for myself. I was always wondering how to stop it from listeing on my ppp (outside world) interface, since no one on the outside needs to connect to me. I firewalled as well. Today i figured out how to keep it listening only on the IPs/interfaces you want. I have a dial up box here, which runs the dns server. I have another box that is NAT'd as well. Anyway here's how i got it to listen only on 127.0.0.1 and 192.168.0.1 : in /etc/named.conf (this is bind8): in the options section: listen-on { 127.0.0.1; 192.168.0.1; }; So now, it doesn't even bother to listen on the ouside world (ppp0). Other thoughts, if you do need it open to the outside world, would be to have it use a different listen port. Anything other than 53. -- http://c64.arcsnet.net/ ICQ UIN 1551505 "The things you own, they end up owning you." - Tylder Durden
This archive was generated by hypermail 2b30 : Mon May 14 2001 - 08:51:52 PDT