Penetration Testing mailing list archives
RE: DNS ACL ?
From: "Kyle Quest" <Kyle.Quest () networkengines com>
Date: Tue, 22 Nov 2005 11:08:42 -0500
-----Original Message----- From: Dario Ciccarone (dciccaro) [mailto:dciccaro () cisco com] Sent: Thursday, November 17, 2005 3:07 AM To: pen-test () securityfocus com Subject: FW: DNS ACL ?
RFC-2671 ('Extension Mechanisms for DNS (EDNS0)') updates RFC-2671 and allows for packet sizes > 512 when using UDP as transport. A reference from MS: http://support.microsoft.com/kb/828263 Some queries that might exceed the 512-byte size are those like, for example, www.microsoft.com or www.yahoo.com, due to the number of A records returned. So, you will probably be OK with only allowing 53/udp to your DNS server.
That's not always true. Yes, DNS extensions have a mechanism to increase the UDP message size. However, both sides (clients and servers) are involved in the process of negotiating those big messages. Not all DNS clients automatically try to negotiate bigger UDP messages. The same goes for DNS servers. And there's always security devices somewhere on the network that may not allow those extensions... either by stripping or disallowing the udp message size option or simply by ignoring (/not understanding) them. My recommendation is to not rely on any extended DNS functionality. Kyle ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- RE: DNS ACL ?, (continued)
- RE: DNS ACL ? Jason Muskat (Nov 13)
- RE: DNS ACL ? Giancarlo Paolillo (Nov 13)
- Re: DNS ACL ? Thor (Hammer of God) (Nov 13)
- Re: DNS ACL ? Richard C Lewis (Nov 13)
- Re: DNS ACL ? Chris Brenton (Nov 13)
- Re: DNS ACL ? Lynx (Nov 13)
- Re: DNS ACL ? Justin Ferguson (Nov 14)
- Re: DNS ACL ? John Nemeth (Nov 13)
- RE: DNS ACL ? Maher Odeh (Nov 13)
- FW: DNS ACL ? Dario Ciccarone (dciccaro) (Nov 21)
- RE: DNS ACL ? Kyle Quest (Nov 22)
- RE: DNS ACL ? Dario Ciccarone (dciccaro) (Nov 24)
- RE: DNS ACL ? Dario Ciccarone (dciccaro) (Nov 24)
- RE: DNS ACL ? John Hally (Nov 26)