Re: IPF rules

[Brett Lymn <blymn%internode.on.net@localhost>]

On Fri, Jul 02, 2021 at 11:12:31PM -0400, Jason Mitchell wrote:
> 
> I think you would only need to allow inbound connections to tcp port 53 if
> you were running a nameserver on your machine. You would want to make sure
> that you allow outbound connections on tcp port 53 from your nameserver in
> any case. Are you using your own nameserver or are you using another machine
> for name resolution?
> 

No you think incorrectly.  It doesn't matter if you are running a name server or not, if you
block tcp/53 going out then you break DNS, it appears to work but fails on some domains.  I
did say this:

> > > > 2) are you sure your rules are correct?  A particularly favourite
> > > > hobby-horse of mine is people  blocking DNS over tcp/53 due to the
> > > > totally WRONG belief that only dns zone transfers use tcp/53.  This is
> > > > WRONG (did I say wrong?) - if a DNS response won't fit into a UDP packet
> > > > then the DNS server will reply to the client telling it to try over tcp.
> > > > If your firewall doesn't allow that to happen there may be delays in
> > > > name resolution which could cause the appearance that gmail is slow.

I suggest that a bit of research into DNS would save you guessing.

> If the nameserver isn't on your computer than: "nc -w 4 -v <nameserver ip>
> 53" will let you know if you can connect to that server on port 53. (-v =
> verbose, -w 4 = 4 second timeout so you don't wait forever). If there's a
> network problem the connection will timeout or you'll get an error. Here are
> examples:
> 

Yes, this would be good to try.

> 
> And I use mail.google.com somewhat often and it goes to the same place as
> gmail.com.
> 

It didn't when I last looked, they must have relented on that sometime.

-- 
Brett Lymn
--
Sent from my NetBSD device.

"We are were wolves",
"You mean werewolves?",
"No we were wolves, now we are something else entirely",
"Oh"