Re: Setting up SMTP for outbound mail only

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

I found the following regarding UDP 53 and am wondering what your
thoughts are on this. Namely, if I open it will it be a security
risk?

No.

UDP 53 must be open to receive DNS responses. As UDP is
connectionless, there is no way to open only outbound UDP 53
connections. (Anything you think of as a UDP "connection" is a fake
state maintained by some firewalls across packets with reflexive
source and destination info.)

And, as is typical of newbie-sponsored sites like "AuditMyPC," their
assessment of TCP 53 is wrong. TCP 53 is used for normal DNS recursion
when responses are over UDP packet capacity, _not_ only for zone
transfer. However, outbound + stateful TCP 53 is all that is necessary.

Their assessment has the mild ring of truth in that you must ensure
that zone transfer is not possible from the Net at large. But [a]
opening outbound TCP 53 connections for DNS recursion does not mean
that inbound TCP 53 is open; and [b] even opening inbound TCP 53 does
not mean that you are opening zone transfers. All of these are
separate configuration areas in modern DNS servers.

--Sandy



------------------------------------
Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
------------------------------------
.

Relevant Pages

  • Re: SMTP delivery failure when NIC DNS server points to router
    ... I learned that the router's DNS server does not listen to TCP queries. ... Configure the SMTPSVC to use UDP for DNS queries. ...
    (microsoft.public.inetserver.iis.smtp_nntp)
  • RE: Help with ipfw rules to allow DNS queries through
    ... If a DNS reply exceeds the maximum size of a udp datagram, it will be sent using TCP so the rule is needed. ... > I have a stand alone server co-located on my employers T1 line. ...
    (FreeBSD-Security)
  • Re: Windows 2003 Help
    ... Reconfigure the DC's as also posted in DNS NG: ... In the private ip range i would not enable the firewall between the DC's. ... 53211 TCP ... 53 TCP and UDP ...
    (microsoft.public.windows.server.general)
  • Re: using routers ACL to substitute firewall
    ... > You can handle TCP responses with a statement such as ... > systems have any programs that dynamically allocate UDP source ... > packets with a UDP source port of 137, ... > For incoming connections, UDP is again a problem, in that UDP ...
    (comp.security.misc)
  • Re: using routers ACL to substitute firewall
    ... > You can handle TCP responses with a statement such as ... > systems have any programs that dynamically allocate UDP source ... > packets with a UDP source port of 137, ... > For incoming connections, UDP is again a problem, in that UDP ...
    (alt.computer.security)