Re: Large DNS scans from 211.53.208.178

[sigipp () WELLA COM BR (sigipp () WELLA COM BR)]

Hi Seth,

I don´t think that disabling 53/tcp in firewall is always a good idea. Not all
normal requests resp. the answers fit into a single udp packet (at least in IP
v4). So if it does not fit, it will be requested/sent with tcp. Tcp is not only
for zone transfers.

I prefer another method: Setting up a "shadow domain", like it is described in
"DNS and BIND" from Paul Albitz & Cricket Liu. Our official DNS has only three
entries. So it does not make much difference in doing a zone transfer or making
three requests. Normally the official DNS would only contain data for some
well-known services (http, ftp, mail, dns) and may be completely different from
the internal names and/or addresses.

I think dividing the namespace into a "real" namespace without common access,
and a very much restricted "shadow" namespace with free access for everyone adds
more security than disallowing 53/tcp. And if you really need to restrict zone
transfers, this is better done in the DNS server configuration.

Nevertheless some byrocrats have decided to allow 53/tcp only for our secondary
name server. I don´t think that it adds some security, for this address may be
spoofed. Although it will be quite difficult to redirect or sniff the answer (no
source routed packets allowed).

Greetings from Rio de Janeiro
Siegfried Gipp