[unisog] DNS over TCP should we block

Reg Quinton reggers at ist.uwaterloo.ca
Tue Jan 4 21:39:30 GMT 2005


> The threats that the original poster may want to avoid should be 
> discussed;
> without this discussion, it's not possible to say whether blocking DNS 
> over
> TCP (from where to where?) is the best way to mitigate them.  If zone
> transfers are the threat in question:

If all you worry about is zone transfers that's fine. But I'd suggest you 
not wait for the problems you haven't anticipated -- block it if you can. A 
well honored security principle is to never expose a service unless you have 
to.

IMHO there's no need for anyone other than our campus DNS servers to conduct 
DNS conversations with remote systems.




More information about the unisog mailing list