Re: DNS (UDP/53 only)

Thu, 6 Jan 2000 19:52:32 -0800 

I though it was more insecure allowing TCP transers through port 53. That's what
I've always heard.

Anyways, look at this
http://advice.networkice.com/Advice/Intrusions/2000401/default.htm

"Paul D. Robertson" wrote:

> On Thu, 6 Jan 2000, Vanja Hrustic wrote:
>
> > I've heard various comments on this, so I want to double-check it.
> >
> > Is it ok if only UDP/53 is left open, to serve DNS requests? As much as
> > I have understood, I can safely close TCP/53. The server in question is
> > a 'small' one (meaning: not so many requests per day, and only requests
> > for www/dns/mail will probably come there anyway).
>
> TCP is used for large answers and zone transfers.  If you need to do
> either, you'll need to allow the traffic - for instance AOL's servers
> return rather large answer sets for www.aol.com (or at least used to.)
>
> TCP can be set to only allow ACKed packets back in, so it's actually
> "safer" than UDP, but of course UDP is ncessary.
>
> > I have been looking at the traffic for past 24 hours, and as much as I
> > can see, everything works fine (some requests come first to TCP/53, but
> > they are resent after few secs to UDP/53). However, I might break
> > something without knowing it :)
> >
> > Any advices?
>
> Make sure that you don't allow queries on the nameserver if at all
> possible unless you specificly need to allow access to a zone you're
> hosting.  Personally, I prefer an external "hardened" nameserver that
> the internal server is allowed to talk to, that way external traffic
> comes from a host I own and admin, not from anywhere on the Internet
> (an alternative may be to allow it to/from the root servers or a
> provider's server- I prefer roots to trusting anyone else's server to
> answer correctly.)  If you're running BIND, you want to
> make sure you're on 8.2.2-P5, everything else seems to be in active
> exploitation.
>
> Paul
> -----------------------------------------------------------------------------
> Paul D. Robertson      "My statements in this message are personal opinions
> [EMAIL PROTECTED]      which may have no basis whatsoever in fact."
>                                                                      PSB#9280
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]

-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to