tag:blogger.com,1999:blog-4088979.post5663160625645486738..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Blocking Port 53 TCPRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-4088979.post-14862704540576597742007-11-04T19:32:00.000-05:002007-11-04T19:32:00.000-05:00Anonymous, do you even know what I am talking abou...Anonymous, do you even know what I am talking about with respect to legitimate, non-zone-transfer DNS over TCP?Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-48419182967884999662007-11-04T14:16:00.000-05:002007-11-04T14:16:00.000-05:00DNS Servers ONLY should be left for TCP/53 connect...DNS Servers ONLY should be left for TCP/53 connects for zone transfers. Good Security practice is DENY any any eq 53 UDP/TCP -- EXCEPT for your primary & secondary DNS servers.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-79943567485455720872007-09-14T00:41:00.000-04:002007-09-14T00:41:00.000-04:00Richard:I had no doubts about that. I just found i...Richard:<BR/><BR/>I had no doubts about that. I just found it funny you decided to point it out with a screencap of Wireshark.<BR/><BR/>Anyone that is blocking TCP port 53 outbound should not be allowed to administrate a firewall since they apparently have no clue how any of the protocols they are using work.X-Istencehttps://www.blogger.com/profile/17456435362208853003noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-68242904993669282512007-09-13T17:17:00.000-04:002007-09-13T17:17:00.000-04:00Reminds me of those sites/people who block ICMP be...Reminds me of those sites/people who block ICMP because it can be used for tracert or God forbid, ping of death!Marcinhttps://www.blogger.com/profile/02403324596880195518noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-25084598772623288722007-09-13T15:56:00.000-04:002007-09-13T15:56:00.000-04:00bert jw,I knew it was going to be TCP before I eve...bert jw,<BR/><BR/>I knew it was going to be TCP before I even looked at the traffic. Does that make you happy?<BR/><BR/>Tom,<BR/><BR/>Your service is cool -- I was just commenting because I have seen sites who hear "block 53 TCP!" and end up blocking it everywhere, in and out, without thought of the consequences.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-21482411049361295082007-09-13T14:18:00.000-04:002007-09-13T14:18:00.000-04:00Tom Byrnes, CTO and founder of ThreatSTOP here.Yes...Tom Byrnes, CTO and founder of ThreatSTOP here.<BR/><BR/>Yes, we have to use TCP because of the list size. However, you only have to allow outbound requests from your firewall or nameserver, not any inbound, so that should not present any security risk to your infrastructure.<BR/><BR/>For the paranoid, you can sign up for our service, which is free and will provide the same lists even when there isn't a net-emergency. We use a private secure DNS running the latest BIND 9 stable.Unknownhttps://www.blogger.com/profile/03183494593746386705noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-86833708626616395742007-09-13T13:03:00.000-04:002007-09-13T13:03:00.000-04:00;; Truncated, retrying in TCP mode.Should have bee...;; Truncated, retrying in TCP mode.<BR/><BR/>Should have been a great hint :PX-Istencehttps://www.blogger.com/profile/17456435362208853003noreply@blogger.com