[dns-operations] DNS Issue

Mike Hoskins (michoski) michoski at cisco.com
Fri Apr 26 13:55:08 UTC 2013

-----Original Message-----

From: <Dobbins>, Roland <rdobbins at arbor.net>
Date: Friday, April 26, 2013 8:33 AM
To: "dns-operations at lists.dns-oarc.net List"
<dns-operations at mail.dns-oarc.net>
Subject: Re: [dns-operations] DNS Issue

>On Apr 26, 2013, at 7:24 PM, Cihan SUBASI (GARANTI TEKNOLOJI) wrote:
>> Also can someone explain why tcp53 should be allowed on the firewalls
>>if dns is behind a firewall?
>Truncate mode.
>> And why auditors do not like tcp53 open to public?
>'Security' misinformation spread by firewall vendors since the late 1990s.

Particularly sad since, even in a least-privilege world (which I think we
could all agree to), 53/tcp is simply RFC/protocol-compliance not
unnecessary access as many have pointed out.  Also ironic, in that 53/udp
actually causes more damage (amplification, etc) these days than 53/tcp
ever has.

I've had 53/udp and 53/tcp open on every DNS server I've managed for over
a decade, and never had a problem justifying it on audits.  Sure it might
be a finding, but it can be easily explained.  If that's not the case,
find another auditor.

More information about the dns-operations mailing list