NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: IPF rules

On Fri, Jul 02, 2021 at 11:12:31PM -0400, Jason Mitchell wrote:
> I think you would only need to allow inbound connections to tcp port 53 if
> you were running a nameserver on your machine. You would want to make sure
> that you allow outbound connections on tcp port 53 from your nameserver in
> any case. Are you using your own nameserver or are you using another machine
> for name resolution?

No you think incorrectly.  It doesn't matter if you are running a name server or not, if you
block tcp/53 going out then you break DNS, it appears to work but fails on some domains.  I
did say this:

> > > > 2) are you sure your rules are correct?  A particularly favourite
> > > > hobby-horse of mine is people  blocking DNS over tcp/53 due to the
> > > > totally WRONG belief that only dns zone transfers use tcp/53.  This is
> > > > WRONG (did I say wrong?) - if a DNS response won't fit into a UDP packet
> > > > then the DNS server will reply to the client telling it to try over tcp.
> > > > If your firewall doesn't allow that to happen there may be delays in
> > > > name resolution which could cause the appearance that gmail is slow.

I suggest that a bit of research into DNS would save you guessing.

> If the nameserver isn't on your computer than: "nc -w 4 -v <nameserver ip>
> 53" will let you know if you can connect to that server on port 53. (-v =
> verbose, -w 4 = 4 second timeout so you don't wait forever). If there's a
> network problem the connection will timeout or you'll get an error. Here are
> examples:

Yes, this would be good to try.

> And I use somewhat often and it goes to the same place as

It didn't when I last looked, they must have relented on that sometime.

Brett Lymn
Sent from my NetBSD device.

"We are were wolves",
"You mean werewolves?",
"No we were wolves, now we are something else entirely",

Home | Main Index | Thread Index | Old Index