IPCHAINS Help
Brian Russo
brusso at phys.hawaii.edu
Tue Oct 16 07:42:09 PDT 2001
On Mon, Oct 15, 2001 at 11:13:50PM -1000, Warren Togami wrote:
> IPCHAINS HelpAre DNS client queries outgoing TCP or UDP?
>
> If TCP, you could REJECT or DROP incoming SYN packets to port 53, breaking
> any incoming connection attempt. This will allow outgoing queries because
> outgoing SYN packets are uneffected. Incoming ACK packets from these
> established TCP connections come back in unhindered.
>
> However, I think simple DNS queries are UDP. If this is the case there
> isn't anything I can think of that you could do without stateful inspection
> (2.4 kernel). Why do you need to block incoming connections to port 53?
DNS queries are UDP, (large responses may be sent via TCP, but you
don't see this as much, you will probably see this if you use
DNSSEC. zone transfers are also TCP)
Anyway, unless you are running a named that must be accessible
externally, block incoming to 53 at your whim (Only scenario I see
this in is.. caching named, or internal-only resolvers)
- bri
--
Unix Staff, High Energy Physics Group <brusso at phys.hawaii.edu>
Debian/GNU Linux! http://www.debian.org <wolfie at debian.org>
More information about the LUAU
mailing list