Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

RE: firewalling

2 views
Skip to first unread message

HuMPie

unread,
Sep 2, 2004, 12:43:29 PM9/2/04
to
Only allow UPD traffic is enough, TCP traffic is only needed if you are
a master DNS server and need transferring zones to your slave.

-----Original Message-----
From: bind-use...@isc.org [mailto:bind-use...@isc.org] On
Behalf Of p...@icke-reklam.ipsec.nu
Sent: Wednesday, August 25, 2004 17:15
To: comp-protoc...@isc.org
Subject: Re: firewalling

thedlw <the...@comcast.net> wrote:
> can someone point me to a website or whatever as to what ports i need
t=
o
> open on a firewall to make my cacheing dns server to work? (it
doesn't=
work
> if i don't make it a dmz)
> the...@comcast.net

Allow UDP and TCP from nameserver ( any port ) to any address port 53=20
on outside. Allow answers back ( remember state )

--=20
Peter H=E5kanson =20
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam
out=
,
remove "icke-reklam" if you feel for mailing me. Thanx.


Ronan Flood

unread,
Sep 3, 2004, 6:46:15 AM9/3/04
to
"HuMPie" <hum...@grunn.org> wrote:

> Only allow UPD traffic is enough, TCP traffic is only needed if you are
> a master DNS server and need transferring zones to your slave.

Not true: you may need TCP if the response to a query is large and one
or other server doesn't support EDNS0 large UDP packets.

--
Ronan Flood <R.F...@noc.ulcc.ac.uk>
working for but not speaking for
Network Services, University of London Computer Centre
(which means: don't bother ULCC if I've said something you don't like)

Ed Schmollinger

unread,
Sep 3, 2004, 9:35:58 AM9/3/04
to
On Fri, Sep 03, 2004 at 10:46:15AM +0000, Ronan Flood wrote:
> "HuMPie" <hum...@grunn.org> wrote:
> > Only allow UPD traffic is enough, TCP traffic is only needed if you are
> > a master DNS server and need transferring zones to your slave.
>
> Not true: you may need TCP if the response to a query is large and one
> or other server doesn't support EDNS0 large UDP packets.
And of course it's not really against the rules for a resolver to use
TCP by default. If you shut off querying over TCP, then you can
probably expect for most things to keep working. The interesting
question here regards how easy it will be for you to figure out what's
wrong when it eventually breaks something. Does the mostly imaginary
security you're buying by blocking TCP weigh more than the eventual
downtime?

--
Ed Schmollinger - schm...@frozencrow.org

-- Attached file included as plaintext by Ecartis --

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBOHM+uUf1YjPlx/ARAsR9AJ9wCRBTIYhh/PnDeRrgPo9UEVDdhQCfci9b
hJuwFTaSR3vbDTOWQ+RBrtM=
=qY8a
-----END PGP SIGNATURE-----

Danny Mayer

unread,
Sep 4, 2004, 8:55:05 PM9/4/04
to
At 09:35 AM 9/3/2004, Ed Schmollinger wrote:
>And of course it's not really against the rules for a resolver to use
>TCP by default. If you shut off querying over TCP, then you can
>probably expect for most things to keep working. The interesting
>question here regards how easy it will be for you to figure out what's
>wrong when it eventually breaks something. Does the mostly imaginary
>security you're buying by blocking TCP weigh more than the eventual
>downtime?

Microsoft's Exchange Server does lookups using TCP and not UDP. This
is by design. I got confirmation from the person who made that decision
at the time. If you allow only UDP then Exchange Server will have a
problem with name resolution.

Danny


Barry Margolin

unread,
Sep 5, 2004, 12:29:42 AM9/5/04
to
In article <ch9sfo$q3i$1...@sf1.isc.org>,
Ed Schmollinger <schm...@frozencrow.org> wrote:

> And of course it's not really against the rules for a resolver to use
> TCP by default.

Yes it is. From RFC 1123:

6.1.3.2 Transport Protocols

DNS resolvers and recursive servers MUST support UDP, and
SHOULD support TCP, for sending (non-zone-transfer) queries.
Specifically, a DNS resolver or server that is sending a
non-zone-transfer query MUST send a UDP query first. If the
Answer section of the response is truncated and if the
requester supports TCP, it SHOULD try the query again using
TCP.

Microsoft Exchange is violating the protocol by only using TCP.

Anyway, I'm not sure how relevant this is to the OP. This behavior of
Exchange is between the clients and the caching nameserver. I think the
OP wanted to know what ports to open up on his firewall between the
nameserver and the rest of the Internet. Even if Exchange uses TCP to
connect to the nameserver, the nameserver can send the recursive query
using UDP.

But when querying outside nameservers, you have to allow outbound TCP in
case the result is too large for a UDP query.

--
Barry Margolin, bar...@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***

Jonathan de Boyne Pollard

unread,
Sep 5, 2004, 11:42:44 PM9/5/04
to
DM> Microsoft's Exchange Server does lookups using TCP and not UDP.

And it's well-known to be wrong, and in violation of a "MUST" in RFC
1123, in doing so.

DM> This is by design.

It's a bad design.

DM> I got confirmation from the person who made that decision at the time.

That person is a bad designer.

p...@icke-reklam.ipsec.nu

unread,
Sep 7, 2004, 4:21:36 PM9/7/04
to

I'm happy to agree with "Jonathan de Boyne Pollard" on this subject.

--
Peter Håkanson

IPSec Sverige ( At Gothenburg Riverside )

Sorry about my e-mail address, but i'm trying to keep spam out,

0 new messages