On 26.03.13 00:21, babu dheen wrote:
Hi Matus,
please, skip personal replies. this is mailing listand issued should be discussed here.
Still not convinced because if i need to allow >1024 port fromĀ our DNS server to external world(internet).. where is the security?
If you have statefull firewall, you simply need to allow "open" connections (statefull firewalls can track outgoing UDP packets and match the replies). If not, you have to allow all traffic from port 53 on remote DNS servers to your DNS server. Since you can't know all DNS servers, you have to allow all incoming traffic to your DNS server where source port is 53. all the "security" is useless if blocks your service. Luckily, most of firewalls can track the "connection" state. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Emacs is a complicated operating system without good text editor. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
