nat and dns
opie at 817west.com
Thu Sep 23 16:13:53 CEST 2004
On Thu, 2004-09-23 at 07:23, Nick Drage wrote:
> On Thu, Sep 23, 2004 at 01:09:43PM +0200, Samuel D=C3=ADaz Garc=C3=ADa =
> > For DNS query only UDP is necesary, not TCP.
> Heh, that's such a common misconception that I almost mentioned it in m=
> original email. =20
i surprised you didn't...as it comes up here every time DNS is
mentioned. and you're 100% right about it being a misconception.
> Most DNS queries take place over UDP, however if the
> reply to the query is especially large then a new TCP connection is
> opened between the client and server.
find me a response to a client resolver request that doesn't fit in a
single UDP packet, and i'll stop seeing red every time i see someone
recommend allowing TCP 53 from any IP to their DNS server (*).
> Also zone transfers take place
> over TCP IIRC, it depends what kind of functionality the DNS server wil=
> be providing.
TCP 53 is for zone transfers. there is no reason to allow TCP from any
IP's other then your slave servers. i also recommend ACL-ing zone
tranfers in your DNS server configuration as well.
(*) the biggest response i've come across that i can recall is an MX
record lookup for earthlink.net, which is about 540 bytes on the wire
and still "fits" in a single UDP packet. people that manage DNS servers
that respond with messages of this size are aware that many people that
they want receiving these answers will not allow TCP 53 in through their
firewall and act accordingly.
Jason Opperisano <opie at 817west.com>
More information about the netfilter