Re: Does blocking TCP DNS packets keep your Bind safe?

[David Lang <dlang () diginsite com>]

Don, re: #1
if your internet visable DNS only contains data on your internet visable
machines why do you care if someone does a zone transfer?

re #2
the problem is in the use of the term 'most' I blocked TCP 53 inbound for
a while and discovered that it did cause strange and mysterious error
reports from people trying to get to our servers.

in theory you are correct, you should be able to as long an no requests
are going to be large, but in practice it doesn't work that way.

David Lang


 On Wed, 7 Mar 2001, Don
Kendrick wrote:

> Date: Wed, 07 Mar 2001 16:09:01 -0500
> From: Don Kendrick <don () netspys com>
> To: firewall-wizards () nfr net
> Subject: [fw-wiz] Does blocking TCP DNS packets keep your Bind safe?
>
> OK, here I go again breaking things :)
>
> Over the years I've argued about blocking icmp at the border routers. Steve
> Bellovin et al would usually argue that it breaks path MTU, etc. I'd
> usually argue that we can rely on path MTU being negotiated elsewhere in
> the path (LAN vs. WAN bandwidth)...but I digress
>
> Here's what I am suggesting:
>
> 1. We should all only do zone transfers (TCP) with known secondaries.
>
> 2. Most if not all "normal" queries needed by legit Internet traffic are UDP.
>
> Why not just block port 53 TCP connections at the border routers except for
> our secondaries. Is it possible to do a buffer overflow or other DNS/Bind
> exploit via UDP? I don't know the answer, I'm asking.
>
> Don
>
>
>
> Don Kendrick, CNE, CCNA, GCIA, CISSP
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://www.nfr.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards