Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Does blocking TCP DNS packets keep your Bind safe?

From: Andrew Huffer <ahuffer () tellabs com>
Date: Fri, 9 Mar 2001 09:36:37 -0600 (CST)

Don:

I agree that TCP transfers should only be allowed from the authorized
secondaries.  This should be enforced first by the BIND configuration and
then backed up by the firewall configuration.  This is really important.
Doing this limits the possiblity of a hack easily getting a map of the
network, thereby making him/her work a little bit harder to create a
profile for the attack.

General queries are UDP.  It is still possible to overflow named via UDP,
depending on the version of BIND we are talking about of course.

/ahuffer/


On Wed, 7 Mar 2001, Don Kendrick wrote:


******* Repost, sorry wrong email address used **********

OK, here I go again breaking things :)

Over the years I've argued about blocking icmp at the border routers. Steve
Bellovin et al would usually argue that it breaks path MTU, etc. I'd
usually argue that we can rely on path MTU being negotiated elsewhere in
the path (LAN vs. WAN bandwidth)...but I digress

Here's what I am suggesting:

1. We should all only do zone transfers (TCP) with known secondaries.

2. Most if not all "normal" queries needed by legit Internet traffic are UDP.

Why not just block port 53 TCP connections at the border routers except for
our secondaries. Is it possible to do a buffer overflow or other DNS/Bind
exploit via UDP? I don't know the answer, I'm asking.

Don


Don Kendrick, CNE, CCNA, GCIA, CISSP

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards




_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: