Firewalls: Re: Blocking DNS xfers across firewall

Firewalls
(November 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Blocking DNS xfers across firewall
From:	Nobuhiko Yoshimoto <yoshi @ koto . nikkei . co . jp>
Date:	Thu, 21 Nov 1996 11:08:50 +0900
To:	mitch @ qualcomm . com (Mark Mitchiner)
Cc:	Firewalls @ GreatCircle . COM
In-reply-to:	Your message of "Wed, 20 Nov 1996 15:58:25 MST." <v0213050caeb936a840e3 @ [129 . 46 . 92 . 54]>

> Hi,
> i'm using access-lists packet filtering on cisco routers (no flaming please)
> and i'm trying to block DNS xfers from machines outside our domain.
> Yes, i could use the xfrnets directive, but then i'd have to find
> all the rogue secondaries in my company.   From what i know,
> i can block tcp port 53, but this would also block queries
> (responses actually) > 512 bytes.  Any thoughts on this?
> A 512 byte response seems pretty big to me, but then again so
> did 64k to an unnamed billionaire.
> 

If the length of DNS query packet exceeded 512 byte, it would be sent
through tcp port 53. That means the most of the query packet comes via 
udp 53. In practice, our site blocks DNS packet to tcp 53 except from 
secondary servers in ISP site, but we have not experienced any trouble.

Nobuhiko Yoshimoto
Nihon Keizai Shimbun Inc.
yoshi @
 nikkei .
 co .
 jp
phone:813-5690-0256
fax:813-5690-0250

References:

Blocking DNS xfers across firewall
From: mitch @ qualcomm . com (Mark Mitchiner)

Indexed By Date	Previous:	Re: Blocking DNS xfers across firewall From: "Paul D. Robertson" <proberts @ clark . net>
Indexed By Date	Next:	Re: Blocking DNS xfers across firewall From: Todd Graham Lewis <lists @ reflections . mindspring . com>
Indexed By Thread	Previous:	Re: Blocking DNS xfers across firewall From: "Paul D. Robertson" <proberts @ clark . net>
Indexed By Thread	Next:	Re: Blocking DNS xfers across firewall From: Todd Graham Lewis <lists @ reflections . mindspring . com>