[dns-operations] DNS Issue
Lutz Donnerhacke
lutz at iks-jena.de
Wed May 1 11:45:14 UTC 2013
* John Kristoff wrote:
>> And why auditors do not like tcp53 open to public?
>
> They may have an outdated, naive view of what should be open and
> what shouldn't be? Show them the above and ask them why. I'd be
> curious what the response is.
"We have never seen TCP/53 in public beside strange examples or attack."
"TCP/53 ise superseded by EDNS0"
"TCP/53 is only needed for AXFR, allow TCP/53 only to(!) your primary NS"
"DNS works over UDP"
There are more such answers. But the most prominent answer is:
"We marked it red, because it's a security risk. Close it!"
More information about the dns-operations
mailing list