8 Jun
2011
8 Jun
'11
9:54 p.m.
On 06/08/11 18:32, Jared Mauch wrote:
MYTHS:
TCP/53 is only for zone transfers ICMP is a security risk/ddos avenue Internal networks must be secured with NAT A firewall is the only way to secure the perimiter
In fact for IPv6, ICMP is more important vs less. Firewalls frequently harm and don't block data going out. TCP/53 is needed for EDNS.
tcp/53 is needed when EDNS is _not_ available and DNS message size exceeds 512 bytes. UDP fragments are (sometimes) necessary for EDNS. So, that adds to your MYTHS section: Fragmented packets (like ICMP) are always a security risk and DDoS vector michael