Firewall Wizards mailing list archives
Re: Does blocking TCP DNS packets keep your Bind safe?
From: "M. Dodge Mumford" <dodge () nfr net>
Date: Fri, 9 Mar 2001 10:28:57 -0500 (EST)
On Wed, 7 Mar 2001, Don Kendrick wrote:
1. We should all only do zone transfers (TCP) with known secondaries.
I haven't done it, but I saw nothing in RFC 1035 that says that zone transfers have to happen over TCP.
2. Most if not all "normal" queries needed by legit Internet traffic are UDP.
Most, yes. I'd probably say that 99.999% of legit A, PTR, and MX queries happen over UDP. But I also saw nothing in the RFC that says they have to happen that way.
Why not just block port 53 TCP connections at the border routers except for our secondaries. Is it possible to do a buffer overflow or other DNS/Bind exploit via UDP? I don't know the answer, I'm asking.
I haven't done that, but I have every reason to suspect it's possible. I think the old inverse query buffer overflow worked over UDP, but it's been a while since I looked at that. Keep in mind the maximum legal size of a UDP datagram's payload is about 65,495 (65535-40) bytes which is plenty big enough for a buffer overflow. Granted it would get fragmented into at least (umm) 43 packets (probably more), but it should still be possible. Dodge _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Does blocking TCP DNS packets keep your Bind safe? Don Kendrick (Mar 09)
- Re: Does blocking TCP DNS packets keep your Bind safe? Gary Flynn (Mar 10)
- Re: Does blocking TCP DNS packets keep your Bind safe? M. Dodge Mumford (Mar 10)
- Re: Does blocking TCP DNS packets keep your Bind safe? David Lang (Mar 10)
- <Possible follow-ups>
- Does blocking TCP DNS packets keep your Bind safe? Don Kendrick (Mar 09)
- Re: Does blocking TCP DNS packets keep your Bind safe? John Adams (Mar 10)
- Re: Does blocking TCP DNS packets keep your Bind safe? Crist Clark (Mar 10)
- Re: Does blocking TCP DNS packets keep your Bind safe? Jeff Sedayao (Mar 10)
- Re: Does blocking TCP DNS packets keep your Bind safe? Andrew Huffer (Mar 10)
- Re: Does blocking TCP DNS packets keep your Bind safe? Bill_Royds (Mar 10)
- RE: Does blocking TCP DNS packets keep your Bind safe? Ben Nagy (Mar 11)
- Re: Does blocking TCP DNS packets keep your Bind safe? Luca Berra (Mar 13)
- RE: Does blocking TCP DNS packets keep your Bind safe? Todd (Mar 13)
(Thread continues...)