[dns-operations] DNS Issue
Fred Morris
m3047 at m3047.net
Fri Apr 26 16:23:38 UTC 2013
Good timing...
On Fri, 26 Apr 2013, Cihan SUBASI (GARANTI TEKNOLOJI) wrote:
> Also can someone explain why tcp53 should be allowed on the firewalls if dns is behind a firewall?
>
> And why auditors do not like tcp53 open to public?
See, that's another of the arguments why DNS should *not* be behind "the
firewall": topology issues.
If your (recursive/caching) DNS server was outside the firewall, with
appropriate access controls, then port 53 through the firewall needs only
to be open with respect to the servers which you control.
That's not to say that you wouldn't/shouldn't have appropriate traffic
monitoring/etc. in place between the server and the rest of the
internet.
Agree/disagree, but there it is...
--
Fred Morris
More information about the dns-operations
mailing list