[Dshield] UDP blocking

Nels Lindquist nlindq at maei.ca
Fri Mar 15 18:11:12 GMT 2002


On 14 Mar 2002 at 15:40, Kelly Martin wrote:

> DNS is UDP port 53.  Note also that queries go out (by default) on random
> UDP ports, and the replies come back to the same port the query originated
> from.  If you are not using a stateful firewall, you will have to either
> open all of UDP or lock your DNS client down to use a specified query port.

You shouldn't have to open up *all* UDP traffic.  Allowing UDP 
traffic from port 53 to unpriviledged ports (>=1024) should be 
sufficient.

> If you have a trusted resolver you can use, you can open UDP only to that
> trusted resolver.

As long as that trusted resolver will never refer your request to a 
different server.
Nels Lindquist <*>
----
Quidquid latine dictum sit altum viditur.

Whatever is said in Latin, sounds profound.




More information about the list mailing list