All of lore.kernel.org
 help / color / mirror / Atom feed
From: Aleksandar Milivojevic <amilivojevic@pbl.ca>
To: Netfilter User Mailinglist <netfilter@lists.netfilter.org>
Subject: Re: RFC 1035 Bind
Date: Tue, 09 Nov 2004 15:56:21 -0600	[thread overview]
Message-ID: <41913D05.9040501@pbl.ca> (raw)
In-Reply-To: <20041109190202.GB18755@marschmellow.homeunix.net>

Mark-Walter@t-online.de wrote:
> Ok, I know there could be a problem in the inside of a webserverfarm
> and you need to allow both protocols and he is refering to this
> but generally I would like prefer to avoid TCP over port 53 concerning
> to avoid a man-in-the-middle attack.

I've read the article, and found an error in it.  If the response does
not fit into 512 bytes, it is the client side (be it real client, or
another DNS server) that will open connection on TCP 53, reissue the
query, and read response.  Which is completely different than what was
described on that page (server side opening connection back to the
client side).

Back to your question.  Yes, you should allow both UDP and TCP for DNS
queries.  In both cases, outgoing only.  Unless you have publicly
available DNS server (in which case you will obviously need to allow
incoming for both UDP and TCP).

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7



  parent reply	other threads:[~2004-11-09 21:56 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-11-09 19:02 RFC 1035 Bind Mark-Walter
2004-11-09 21:10 ` a.ledvinka
2004-11-09 21:56 ` Aleksandar Milivojevic [this message]
2004-11-09 19:22 Hudson Delbert J Contr 61 CS/SCBN
2004-11-09 21:42 Hudson Delbert J Contr 61 CS/SCBN

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=41913D05.9040501@pbl.ca \
    --to=amilivojevic@pbl.ca \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.