Security Basics mailing list archives
RE: DNS Records
From: "David Gillett" <gillettdavid () fhda edu>
Date: Mon, 23 Jun 2003 10:11:13 -0700
Unfortunately, this approach may be subject to semi-random failures, because it embodies a common misconception about how DNS works. A DNS server will use TCP instead of UDP to return the results of a query if the size of the result exceeds some threshold value, even if the original query was not a zone transfer request. For many simple domains, this may never happen in normal operation, but it's not safe to assume that all domains have this property. A properly-configured all-purpose DNS server needs access to both 53/udp and 53/tcp. The correct way to block zone transfers is in the DNS server software config, not the firewall. David Gillett
-----Original Message----- From: Charlie Winckless [mailto:CharlieW () netarch com] Sent: June 18, 2003 16:27 To: security-basics () securityfocus com Subject: RE: DNS Records Zone transfers happen on 53/TCP, rather than the 53/UDP that is used for typical lookups. As such, if your DNS server is behind a firewall you have the option of layered security. You can configure your DNS server as below -- to only allow zone transfers from known servers (those which serve as secondarys for the domains that that server is authoritative for at a minimum) and only allow 53/TCP connections from those systems. Just in case. :) - -- Charlie
--------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
Current thread:
- Re: DNS Records, (continued)
- Re: DNS Records Alberto Cozer (Jun 18)
- RE: DNS Records dave kleiman (Jun 18)
- Re: DNS Records Tim Greer (Jun 18)
- Re: DNS Records ATD (Jun 24)
- RE: DNS Records Brian Kirby (Jun 18)
- Re: DNS Records Anders Reed Mohn (Jun 19)
- RE: DNS Records dave (Jun 20)
- Re: DNS Records Anders Reed Mohn (Jun 19)
- RE: DNS Records Ben Collins (Jun 18)
- Re: DNS Records Marco Araujo (Jun 18)
- RE: DNS Records Charlie Winckless (Jun 19)
- RE: DNS Records David Gillett (Jun 24)