Security Incidents mailing list archives
RE: DNS ports and scans
From: John Coke <jcoke () ibeam com>
Date: Tue, 15 May 2001 09:29:58 -0700
The KB article is http://support.microsoft.com/support/kb/articles/q263/2/37.asp. John Coke Information Security Specialist, Senior Hostmaster - RHCE, CCNA i (B (E (A (M Broadcasting ph: 405.717.4895 cell: 405.209.8519 PGP fingerprint: A8D1 4CBD 88CF 1B37 8008 2F79 3081 2108 8F45 E846 PGP key ID 0x8F45E846 (pgp.mit.edu)
-----Original Message----- From: Frijole [mailto:frijole () clas net] Sent: Monday, May 14, 2001 12:17 PM To: Eyes to the Skies.; INCIDENTS () securityfocus com Subject: Re: DNS ports and scans There is one major downside to blocking TCP port 53 - some Microsoft clients will not be able to do host lookups properly. I have seen this on NT 4.0 with OP4 installed. The SMTP service was polling the dns server using TCP, not UDP. Searching http://support.microsoft.com I found an obscure article (that I wish I had saved) which stated that according to the RFC, both TCP and UDP connections should be allowed on public DNS servers. Once I opened TCP, the SMTP was able to resolve properly and send messages. I have noticed in my DNS server log files that many of the NT boxes on our LAN do attempt to transfer zones, but I have not taken the time to investigate it. As transfers are *still* restricted on our DNS servers, we know that the NT box referenced above was not failing due to the inability to transfer a zone, but was using TCP instead of UDP to query the DNS server. Youn Gonzales System Administrator CLAS Net Inc. Comptia A+, Network+ Cisco CCNA Chicken is tasty.. ----- Original Message ----- From: "Eyes to the Skies." <sgtphou () fire-eyes yi org> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Saturday, May 05, 2001 3:18 PM Subject: Re: DNS ports and scansJason Lewis wrote:DNS queries are on UDP port 53. TCP port 53 is used forzone transfers. Byblocking TCP port 53 I can't do zone transfers, butclients can still dolookups on UDP 53. Since I have blocked TCP port 53, Ihave seen a decreasein attack attempts on my name servers, primarily becausethat port isn'topen. I do still see scans for the DNS ports, butnothing more than a portscan. My question is...Can anyone come up with any pros/cons ofdoing this?My name servers are successfully serving my domains, so Idon't see adownside. Thoughts?Well, I run a cacheing DNS server, only for myself. I was always wondering how to stop it from listeing on my ppp (outside world) interface, since no one on the outside needs to connect to me. I firewalled as well. Today i figured out how to keep it listening only on theIPs/interfacesyou want. I have a dial up box here, which runs the dns server. Ihave another boxthat is NAT'd as well. Anyway here's how i got it to listen only on 127.0.0.1 and 192.168.0.1 : in /etc/named.conf (this is bind8): in the options section: listen-on { 127.0.0.1; 192.168.0.1; }; So now, it doesn't even bother to listen on the ouside world (ppp0). Other thoughts, if you do need it open to the outsideworld, would be tohave it use a different listen port. Anything other than 53. -- http://c64.arcsnet.net/ ICQ UIN 1551505 "The things you own, they end up owning you." - Tylder Durden
Current thread:
- Re: DNS ports and scans Keith Owens (May 07)
- <Possible follow-ups>
- Re: DNS ports and scans Ryan Sweat (May 07)
- Re: DNS ports and scans Abe Getchell (May 07)
- Re: DNS ports and scans Valdis Kletnieks (May 07)
- Re: DNS ports and scans Frijole (May 14)
- Re: DNS ports and scans Crist Clark (May 14)
- RE: DNS ports and scans John Coke (May 15)