Edgar A. Mendieta wrote:

>Hi;
>
>I read about this and need you give me some opinions of the following:
>
>I have one Firewall and four DNS. I have only one dns that i permit
>transfers to other dns in other network. In my firewall i have one ACL by
>my Secondaries DNS, in this list i permit zone transfer, only for my
>secundaries. And i have UDP DNS for all. I think that this is the same if
>i put in my dns (allow-transfer { }). This cause any problem? if i put ACL
>for my Secundaries in my Firewall.
>
>The something is that i have ACL in my firewall and in my DNS, this ACL is
>by zone transfer. The Firewall ACL affect the correct operation in the DNS
>

Although zone transfers are the main things that use TCP, you should
open TCP for all DNS communication, everywhere that you open UDP.

As for whether you should enforce DNS controls at the firewall or at the
nameserver, that's really more of a security-administration question
than a BIND/DNS one. You have to take into consideration whether you
want to protect your nameserver against DoS'es, for instance, the
likelihood of a DNS misconfiguration that might accidentally open your
nameserver up to the world, the likelihood of an exploit in the BIND
code (this will vary greatly depending on whether you're running BIND 9
or something older than that), and a number of other considerations...


- Kevin