Security Basics mailing list archives

RE: Securing DNS Server

From: "Mustafa Baig" <mbaig () meikoamerica com>
Date: Tue, 5 Nov 2002 10:33:20 -0800

Not always true, depends on the DMZ setup.

I've DMZ->WAN blocked as well as WAN->DMZ. Port 53 is opened for DNS
queries and the ISP DNS servers are configured at forwarders. Otherwise
all ports and traffic is blocked.

You can just use your ISP DNS servers as forwards if you don't want to
open the ports for root servers. 
 
Regards
--
Mustafa Baig

*-. -----Original Message-----
*-. From: Daniel Miessler [mailto:danielrm26 () hotmail com]
*-. Sent: Monday, November 04, 2002 8:26 PM
*-. To: 'Naman Latif'; 'security-basics'
*-. Subject: RE: Securing DNS Server
*-. 
*-. > But it turned out that when our DNS Server has to query a root
name
*-. > server, it sends out a UDP query with a random higher (>1023)
source
*-. > port number, which means that I will have to open >1023 Ports
access
*-. to
*-. > this server from outside.
*-. 
*-. You don't have to open ports on your firewall that correspond with
the
*-. source port number of your outgoing traffic.  You can make any DNS
*-. queries without opening ports; you only need to open ports to OFFER
*-. service, not to request it.  And even then, it is only going to be
UDP
*-. (and possibly TCP) port 53.
*-. 
*-. --Daniel

Current thread:

Securing DNS Server Naman Latif (Nov 04)
- RE: Securing DNS Server Michael Vaughan (Nov 05)
- RE: Securing DNS Server Daniel Miessler (Nov 05)
- Re: Securing DNS Server Bennett Todd (Nov 08)
- <Possible follow-ups>
- RE: Securing DNS Server Naman Latif (Nov 05)
  - RE: Securing DNS Server Steven Schullo (Nov 06)
- RE: Securing DNS Server Mustafa Baig (Nov 06)
- RE: Securing DNS Server Naman Latif (Nov 06)
  - Re: Securing DNS Server Bennett Todd (Nov 06)