Re: DNS ports and scans

[Keith Owens <kaos () OCS COM AU>]

On Sat, 5 May 2001 12:36:05 -0400,
Jason Lewis <jlewis () JASONLEWIS NET> wrote:
> DNS queries are on UDP port 53.  TCP port 53 is used for zone transfers.  By
> blocking TCP port 53 I can't do zone transfers, but clients can still do
> lookups on UDP 53.  Since I have blocked TCP port 53, I have seen a decrease
> in attack attempts on my name servers, primarily because that port isn't
> open.  I do still see scans for the DNS ports, but nothing more than a port
> scan.
>
> My name servers are successfully serving my domains, so I don't see a
> downside.  Thoughts?

If you query a site with a DNS entry that is too big for UDP (approx
512 bytes) then your name server will switch over to TCP.  You have
just blocked your access to sites with large DNS entries.

It is much better to selectively block DNS over TCP, by accepting
incoming TCP:53 if the ACK bit is set and refusing incoming TCP:53
without the ACK bit.  Since the only incoming TCP packet without ACK is
the initial SYN packet from outside, that prevents somebody attacking
you over TCP:53 but lets you start a TCP:53 session.  Also allow TCP:53
for your external name servers, with or without ACK.