[dns-operations] DNS Issue
Mike Hoskins (michoski)
michoski at cisco.com
Fri Apr 26 13:55:08 UTC 2013
-----Original Message-----
From: <Dobbins>, Roland <rdobbins at arbor.net>
Date: Friday, April 26, 2013 8:33 AM
To: "dns-operations at lists.dns-oarc.net List"
<dns-operations at mail.dns-oarc.net>
Subject: Re: [dns-operations] DNS Issue
>
>On Apr 26, 2013, at 7:24 PM, Cihan SUBASI (GARANTI TEKNOLOJI) wrote:
>
>> Also can someone explain why tcp53 should be allowed on the firewalls
>>if dns is behind a firewall?
>
>Truncate mode.
>
>> And why auditors do not like tcp53 open to public?
>
>'Security' misinformation spread by firewall vendors since the late 1990s.
Particularly sad since, even in a least-privilege world (which I think we
could all agree to), 53/tcp is simply RFC/protocol-compliance not
unnecessary access as many have pointed out. Also ironic, in that 53/udp
actually causes more damage (amplification, etc) these days than 53/tcp
ever has.
I've had 53/udp and 53/tcp open on every DNS server I've managed for over
a decade, and never had a problem justifying it on audits. Sure it might
be a finding, but it can be easily explained. If that's not the case,
find another auditor.
More information about the dns-operations
mailing list