Hi,
> > If you are really worried about the security of having port 53 open, I
> > suggest you move your DNS onto a dedicated server in your DMZ (ie. on your
> > perimeter network, if you have one, otherwise outside your firewall/proxy,
> > connected directly to the internet). DNS will not work if you do not allow
> > udp and tcp packets to/from port 53. If your server is only a caching server
> > for internal queries, you can block tcp connections (SYN packets) coming in
> > to port 53, which prevents some nasties.
>
> In fact, this is what you should do.
Yes, this is a good idea, but it isn't the problem I'm having. My
tcp/udp port 53 is closed on the external interface. My problem is
trying to stop squid from listening on all interfaces on a udp port >
1023.
From reading the archives, it sounds like it's Squid's internal dns
resolver that is binding to a udp port > 1023 in order to perform dns
lookups. I'm not sure on the details of how this works, or why it
leaves the port open (and listening) in order to create a connection
to another server for DNS lookups. You don't typically have to
leave the port open in a listening state for DNS resolution (e.g.
client -> server request where Squid's internal DNS resolver is the
client and the server being dnscache).
Perhaps I'm misunderstanding what is going on with Squid.
Can anyone help clear this up for me?
Thanks,
Steve
Received on Tue Mar 19 2002 - 07:35:12 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:06:59 MST