Will my DNS secondaries work properly if I only permit udp/53 traffic from the Internet?

I run a “hidden primary master” DNS setup on BIND, so only secondaries are visible to the outside world. The firewall currently permits traffic from the Internet to both udp/53 and tcp/53 on the secondaries and everything seems to work fine.

Each day however, I see a load of “refused notify from non-master” log entries from external addresses that have nothing to do with me. I understand what the log entries are telling me there, but I’d rather not have all this “noise” in my logs.

As only the secondaries are Internet-facing, can I safely deny tcp/53 traffic from the Internet to prevent the “refused notify from non-master” entries, or is there a good reason to allow tcp/53 traffic to the secondaries? The master is behind the same firewall and would not be affected by the this firewall change.

TCP is also used if the answer is exceeding 512 bytes, not only for zone transfers.
I wouldn’t block this on your firewall.

Check more discussion of this question.

No related posts.