Firewalls: Re: Blocking DNS xfers across firewall

Firewalls
(November 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Blocking DNS xfers across firewall
From:	mike @ ptes . com (Mike Bernhardt)
Date:	Thu, 21 Nov 1996 08:48:45 -0900
To:	Mark Mitchiner <mitch @ qualcomm . com>
Cc:	Firewalls @ GreatCircle . COM

>If the length of DNS query packet exceeded 512 byte, it would be sent
>through tcp port 53. That means the most of the query packet comes via
>udp 53. In practice, our site blocks DNS packet to tcp 53 except from
>secondary servers in ISP site, but we have not experienced any trouble.
>
We block tcp to port 53, except to our "external" DNS. The external knows
nothing about the internal ones. This blocks zone transfers from going in
or out, but lookups are acceptable. The only thing I don't like about this
is that you can still do nslookups from outside in, but since we don't
advertise our internal nameservers...

Follow-Ups:

Re: Blocking DNS xfers across firewall
From: sazah @ ibu . sj . nec . com (Sunny Azah)

Indexed By Date	Previous:	RE: MS Proxy server From: Chris Pugrud <ChrisP @ steldyn . com>
Indexed By Date	Next:	Re: NNTP and firewalls From: Tony Clark <tonycl @ msi-uk . com>
Indexed By Thread	Previous:	Re: Blocking DNS xfers across firewall From: Todd Graham Lewis <lists @ reflections . mindspring . com>
Indexed By Thread	Next:	Re: Blocking DNS xfers across firewall From: sazah @ ibu . sj . nec . com (Sunny Azah)