[dns-operations] DNS Issue

Lutz Donnerhacke lutz at iks-jena.de
Wed May 1 11:45:14 UTC 2013

* John Kristoff wrote:
>> And why auditors do not like tcp53 open to public?
> They may have an outdated, naive view of what should be open and
> what shouldn't be?  Show them the above and ask them why.  I'd be
> curious what the response is.

"We have never seen TCP/53 in public beside strange examples or attack."
"TCP/53 ise superseded by EDNS0"
"TCP/53 is only needed for AXFR, allow TCP/53 only to(!) your primary NS"
"DNS works over UDP"

There are more such answers. But the most prominent answer is:
"We marked it red, because it's a security risk. Close it!"

More information about the dns-operations mailing list