Security Incidents mailing list archives
Re: Large DNS scans from 211.53.208.178
From: sigipp () WELLA COM BR (sigipp () WELLA COM BR)
Date: Wed, 3 May 2000 08:23:34 -0300
Hi Seth, I don´t think that disabling 53/tcp in firewall is always a good idea. Not all normal requests resp. the answers fit into a single udp packet (at least in IP v4). So if it does not fit, it will be requested/sent with tcp. Tcp is not only for zone transfers. I prefer another method: Setting up a "shadow domain", like it is described in "DNS and BIND" from Paul Albitz & Cricket Liu. Our official DNS has only three entries. So it does not make much difference in doing a zone transfer or making three requests. Normally the official DNS would only contain data for some well-known services (http, ftp, mail, dns) and may be completely different from the internal names and/or addresses. I think dividing the namespace into a "real" namespace without common access, and a very much restricted "shadow" namespace with free access for everyone adds more security than disallowing 53/tcp. And if you really need to restrict zone transfers, this is better done in the DNS server configuration. Nevertheless some byrocrats have decided to allow 53/tcp only for our secondary name server. I don´t think that it adds some security, for this address may be spoofed. Although it will be quite difficult to redirect or sniff the answer (no source routed packets allowed). Greetings from Rio de Janeiro Siegfried Gipp
Current thread:
- Re: Large DNS scans from 211.53.208.178, (continued)
- Re: Large DNS scans from 211.53.208.178 Richard Stevenson (May 02)
- Re: Large DNS scans from 211.53.208.178 Bryan Seitz (Apr 30)
- Strange 33434/UDP traffic from MS W2k with Active Directory Eugene Taylashev (May 01)
- more weird traceroutes Donald McLachlan (May 02)
- Re: more weird traceroutes Chad Thunberg (May 02)
- Re: Large DNS scans from 211.53.208.178 Fernando Cardoso (May 02)
- Re: Large DNS scans from 211.53.208.178 Russell Fulton (May 02)
- Re: Large DNS scans from 211.53.208.178 Ed Padin (May 02)
- Re: Large DNS scans from 211.53.208.178 Keith McCammon (May 03)
- Re: Large DNS scans from 211.53.208.178 David B. Bukowski (May 03)
- Re: Large DNS scans from 211.53.208.178 sigipp () WELLA COM BR (May 03)
- Re: Large DNS scans from 211.53.208.178 Seth Georgion (May 03)
- Re: Large DNS scans from 211.53.208.178 Greg A. Woods (May 08)
- Re: Large DNS scans from 211.53.208.178 Seth Georgion (May 03)
- Re: Large DNS scans from 211.53.208.178 Chen, Dave (May 03)
- Re: Large DNS scans from 211.53.208.178 Igor Gashinsky (May 03)
- Re: Large DNS scans from 211.53.208.178 Keith Owens (May 06)