Security Basics mailing list archives
Re: Securing DNS Server
From: Bennett Todd <bet () rahul net>
Date: Tue, 5 Nov 2002 15:41:49 -0500
2002-11-05-14:36:41 Naman Latif:
Try adding this to named.conf: options { query-source address * port 53; }; ++++++++++++++++++++++++++++++++++ Which would have the originating queries only from Port 53, thus making it easier to implement in the firewall.
It may make it easier to firewall, but it's got other consequences. It may, depending on the implementation in the server, limit the server to one outstanding query at a time, which would only be acceptable for exceptionally low-volume servers (home servers, perhaps). Or it may cause all concurrent queries to share the same src port, rather than being issued distinct src ports, which would have the consequence that it would be much, much easier to forge a reply packet and send it to the server to poison its cache. Either way, the consequence may, perhaps, be worse than just allowing incoming UDP to a wide range of ports on the DNS server. It really comes down to a question of whether you can harden that server adequately. -Bennett
Attachment:
_bin
Description:
Current thread:
- Securing DNS Server Naman Latif (Nov 04)
- RE: Securing DNS Server Michael Vaughan (Nov 05)
- RE: Securing DNS Server Daniel Miessler (Nov 05)
- Re: Securing DNS Server Bennett Todd (Nov 08)
- <Possible follow-ups>
- RE: Securing DNS Server Naman Latif (Nov 05)
- RE: Securing DNS Server Steven Schullo (Nov 06)
- RE: Securing DNS Server Mustafa Baig (Nov 06)
- RE: Securing DNS Server Naman Latif (Nov 06)
- Re: Securing DNS Server Bennett Todd (Nov 06)