RE: DNS ports and scans

[John Coke <jcoke () ibeam com>]

The KB article is
http://support.microsoft.com/support/kb/articles/q263/2/37.asp.

John Coke
Information Security Specialist, Senior Hostmaster - RHCE, CCNA
i (B (E (A (M Broadcasting
ph: 405.717.4895
cell: 405.209.8519
PGP fingerprint: A8D1 4CBD 88CF 1B37 8008 2F79 3081 2108 8F45 E846
PGP key ID 0x8F45E846 (pgp.mit.edu)

> -----Original Message-----
> From: Frijole [mailto:frijole () clas net]
> Sent: Monday, May 14, 2001 12:17 PM
> To: Eyes to the Skies.; INCIDENTS () securityfocus com
> Subject: Re: DNS ports and scans
>
>
> There is one major downside to blocking TCP port 53 - some 
> Microsoft clients
> will not be able to do host lookups properly. I have seen 
> this on NT 4.0
> with OP4 installed. The SMTP service was polling the dns 
> server using TCP,
> not UDP. Searching http://support.microsoft.com I found an 
> obscure article
> (that I wish I had saved) which stated that according to the 
> RFC, both TCP
> and UDP connections should be allowed on public DNS servers. 
> Once I opened
> TCP, the SMTP was able to resolve properly and send messages.
>
> I have noticed in my DNS server log files that many of the NT 
> boxes on our
> LAN do attempt to transfer zones, but I have not taken the time to
> investigate it. As transfers are *still* restricted on our 
> DNS servers, we
> know that the NT box referenced above was not failing due to 
> the inability
> to transfer a zone, but was using TCP instead of UDP to query the DNS
> server.
>
>
> Youn Gonzales
> System Administrator
> CLAS Net Inc.
> Comptia A+, Network+
> Cisco CCNA
> Chicken is tasty..
>
>
> ----- Original Message -----
> From: "Eyes to the Skies." <sgtphou () fire-eyes yi org>
> To: <INCIDENTS () SECURITYFOCUS COM>
> Sent: Saturday, May 05, 2001 3:18 PM
> Subject: Re: DNS ports and scans
>
>
> > Jason Lewis wrote:
> > > DNS queries are on UDP port 53.  TCP port 53 is used for 
> zone transfers.
> By
> > > blocking TCP port 53 I can't do zone transfers, but 
> clients can still do
> > > lookups on UDP 53.  Since I have blocked TCP port 53, I 
> have seen a
> decrease
> > > in attack attempts on my name servers, primarily because 
> that port isn't
> > > open.  I do still see scans for the DNS ports, but 
> nothing more than a
> port
> > > scan.
> > >
> > > My question is...Can anyone come up with any pros/cons of 
> doing this?
> > > My name servers are successfully serving my domains, so I 
> don't see a
> > > downside.  Thoughts?
> >
> > Well, I run a cacheing DNS server, only for myself. I was always
> > wondering how to stop it from listeing on my ppp (outside world)
> > interface, since no one on the outside needs to connect to me. I
> > firewalled as well.
> >
> > Today i figured out how to keep it listening only on the 
> IPs/interfaces
> > you want.
> >
> > I have a dial up box here, which runs the dns server. I 
> have another box
> > that is NAT'd as well. Anyway here's how i got it to listen only on
> > 127.0.0.1 and 192.168.0.1 :
> >
> > in /etc/named.conf (this is bind8):
> >
> > in the options section:
> >
> > listen-on { 127.0.0.1; 192.168.0.1; };
> >
> > So now, it doesn't even bother to listen on the ouside world (ppp0).
> >
> > Other thoughts, if you do need it open to the outside 
> world, would be to
> > have it use a different listen port. Anything other than 53.
> > --
> >
> >  http://c64.arcsnet.net/
> >  ICQ UIN 1551505
> >  "The things you own, they end up owning you." - Tylder Durden