Security Incidents mailing list archives
Re: DNS ports and scans
From: Keith Owens <kaos () OCS COM AU>
Date: Sun, 6 May 2001 13:00:16 +1000
On Sat, 5 May 2001 12:36:05 -0400, Jason Lewis <jlewis () JASONLEWIS NET> wrote:
DNS queries are on UDP port 53. TCP port 53 is used for zone transfers. By blocking TCP port 53 I can't do zone transfers, but clients can still do lookups on UDP 53. Since I have blocked TCP port 53, I have seen a decrease in attack attempts on my name servers, primarily because that port isn't open. I do still see scans for the DNS ports, but nothing more than a port scan. My name servers are successfully serving my domains, so I don't see a downside. Thoughts?
If you query a site with a DNS entry that is too big for UDP (approx 512 bytes) then your name server will switch over to TCP. You have just blocked your access to sites with large DNS entries. It is much better to selectively block DNS over TCP, by accepting incoming TCP:53 if the ACK bit is set and refusing incoming TCP:53 without the ACK bit. Since the only incoming TCP packet without ACK is the initial SYN packet from outside, that prevents somebody attacking you over TCP:53 but lets you start a TCP:53 session. Also allow TCP:53 for your external name servers, with or without ACK.
Current thread:
- Re: DNS ports and scans Keith Owens (May 07)
- <Possible follow-ups>
- Re: DNS ports and scans Ryan Sweat (May 07)
- Re: DNS ports and scans Abe Getchell (May 07)
- Re: DNS ports and scans Valdis Kletnieks (May 07)
- Re: DNS ports and scans Frijole (May 14)
- Re: DNS ports and scans Crist Clark (May 14)
- RE: DNS ports and scans John Coke (May 15)