Re: Does blocking TCP DNS packets keep your Bind safe?

["M. Dodge Mumford" <dodge () nfr net>]

On Wed, 7 Mar 2001, Don Kendrick wrote:

> 1. We should all only do zone transfers (TCP) with known secondaries.

I haven't done it, but I saw nothing in RFC 1035 that says that zone
transfers have to happen over TCP.

> 2. Most if not all "normal" queries needed by legit Internet traffic are UDP.

Most, yes. I'd probably say that 99.999% of legit A, PTR, and MX
queries happen over UDP. But I also saw nothing in the RFC that says they
have to happen that way.

> Why not just block port 53 TCP connections at the border routers except for
> our secondaries. Is it possible to do a buffer overflow or other DNS/Bind
> exploit via UDP? I don't know the answer, I'm asking.

I haven't done that, but I have every reason to suspect it's possible. I
think the old inverse query buffer overflow worked over UDP, but it's been
a while since I looked at that. Keep in mind the maximum legal size of a
UDP datagram's payload is about 65,495 (65535-40) bytes which is plenty
big enough for a buffer overflow. Granted it would get fragmented into at
least (umm) 43 packets (probably more), but it should still be possible.




Dodge

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards