Firewall Wizards mailing list archives
Re: Does blocking TCP DNS packets keep your Bind safe?
From: David Lang <dlang () diginsite com>
Date: Fri, 9 Mar 2001 09:43:43 -0800 (PST)
Don, re: #1 if your internet visable DNS only contains data on your internet visable machines why do you care if someone does a zone transfer? re #2 the problem is in the use of the term 'most' I blocked TCP 53 inbound for a while and discovered that it did cause strange and mysterious error reports from people trying to get to our servers. in theory you are correct, you should be able to as long an no requests are going to be large, but in practice it doesn't work that way. David Lang On Wed, 7 Mar 2001, Don Kendrick wrote:
Date: Wed, 07 Mar 2001 16:09:01 -0500 From: Don Kendrick <don () netspys com> To: firewall-wizards () nfr net Subject: [fw-wiz] Does blocking TCP DNS packets keep your Bind safe? OK, here I go again breaking things :) Over the years I've argued about blocking icmp at the border routers. Steve Bellovin et al would usually argue that it breaks path MTU, etc. I'd usually argue that we can rely on path MTU being negotiated elsewhere in the path (LAN vs. WAN bandwidth)...but I digress Here's what I am suggesting: 1. We should all only do zone transfers (TCP) with known secondaries. 2. Most if not all "normal" queries needed by legit Internet traffic are UDP. Why not just block port 53 TCP connections at the border routers except for our secondaries. Is it possible to do a buffer overflow or other DNS/Bind exploit via UDP? I don't know the answer, I'm asking. Don Don Kendrick, CNE, CCNA, GCIA, CISSP _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Does blocking TCP DNS packets keep your Bind safe? Don Kendrick (Mar 09)
- Re: Does blocking TCP DNS packets keep your Bind safe? Gary Flynn (Mar 10)
- Re: Does blocking TCP DNS packets keep your Bind safe? M. Dodge Mumford (Mar 10)
- Re: Does blocking TCP DNS packets keep your Bind safe? David Lang (Mar 10)
- <Possible follow-ups>
- Does blocking TCP DNS packets keep your Bind safe? Don Kendrick (Mar 09)
- Re: Does blocking TCP DNS packets keep your Bind safe? John Adams (Mar 10)
- Re: Does blocking TCP DNS packets keep your Bind safe? Crist Clark (Mar 10)
- Re: Does blocking TCP DNS packets keep your Bind safe? Jeff Sedayao (Mar 10)
- Re: Does blocking TCP DNS packets keep your Bind safe? Andrew Huffer (Mar 10)
- Re: Does blocking TCP DNS packets keep your Bind safe? Bill_Royds (Mar 10)
- RE: Does blocking TCP DNS packets keep your Bind safe? Ben Nagy (Mar 11)
- Re: Does blocking TCP DNS packets keep your Bind safe? Luca Berra (Mar 13)
- RE: Does blocking TCP DNS packets keep your Bind safe? Todd (Mar 13)
- Re: Does blocking TCP DNS packets keep your Bind safe? Darren Reed (Mar 14)
(Thread continues...)