Penetration Testing mailing list archives
RE: DNS ACL ?
From: "Dario Ciccarone (dciccaro)" <dciccaro () cisco com>
Date: Wed, 23 Nov 2005 12:56:39 -0500
Jeff: we had a similar discussion here with some other people. I hear that one again and again - 'need TCP to be RFC compliant'. I've checked 1035, and also "DNS & BIND" by Albitz and Liu - and all I can find is the *suggestion* for resolvers to retry using TCP, not a *requirement*. Would sincerely appreciate if you could provide us with an authoritative reference to try and settle the matter :) thanks, Dario ________________________________ From: Jeff Gercken [mailto:JeffG () kizan com] Sent: Tuesday, November 22, 2005 9:17 AM To: Dario Ciccarone (dciccaro); pen-test () securityfocus com Subject: RE: DNS ACL ? Be aware that if you drop tcp dns traffic you won't be RFC compliant. A method of spoof protection is to deny udp requests indicating to the client they should use tcp. I know this is employed by one of Cisco's anti DoS devices. -jeff ________________________________ From: Dario Ciccarone (dciccaro) [mailto:dciccaro () cisco com] Sent: Thu 11/17/2005 3:06 AM To: pen-test () securityfocus com Subject: FW: DNS ACL ? Guess moderation doesn't work sometimes. Hi! This is the ezmlm program. I'm managing the pen-test () securityfocus com mailing list. I'm working for my owner, who can be reached at pen-test-owner () securityfocus com. I'm sorry, the list moderators for the pen-test list have failed to act on your post. Thus, I'm returning it to you. If you feel that this is in error, please repost the message or contact a list moderator directly. --- Enclosed, please find the message you sent. -----Original Message----- From: Dario Ciccarone (dciccaro) Sent: Saturday, November 12, 2005 12:26 AM To: John Hally; pen-test () securityfocus com Subject: RE: DNS ACL ? Yup. RFC-1035 specifies that DNS queries should use UDP as transport - and queries are sent to the DNS server IP address, port 53. If the server finds that the answer section is > 512 bytes, it should reply with at most 512 bytes and set the TC bit in the answer. Is up to the host performing the query to retry it using TCP. Check section '4.2. Transport' on the RFC. RFC-2671 ('Extension Mechanisms for DNS (EDNS0)') updates RFC-2671 and allows for packet sizes > 512 when using UDP as transport. A reference from MS: http://support.microsoft.com/kb/828263 Some queries that might exceed the 512-byte size are those like, for example, www.microsoft.com or www.yahoo.com, due to the number of A records returned. So, you will probably be OK with only allowing 53/udp to your DNS server. Thanks, Dario > -----Original Message----- > From: John Hally [mailto:JHally () epnet com] > Sent: Friday, November 11, 2005 8:35 AM > To: 'pen-test () securityfocus com' > Subject: DNS ACL ? > > Hello All, > > > > I need a sanity check regarding DNS ACLs. For external > facing DNS servers > you need to allow only udp/53 inbound, correct? I know > tcp/53 is used for > zone transfers and requests/replies greater than a certain > size, but they > shouldn't typically happen for general dns queries correct? > > > > Thanks in advance! > > > > -------------------------------------------------------------- > ---------------- > Audit your website security with Acunetix Web Vulnerability Scanner: > > Hackers are concentrating their efforts on attacking > applications on your > website. Up to 75% of cyber attacks are launched on shopping > carts, forms, > login pages, dynamic content etc. Firewalls, SSL and > locked-down servers are > futile against web application hacking. Check your website > for vulnerabilities > to SQL injection, Cross site scripting and other web attacks > before hackers do! > Download Trial at: > > http://www.securityfocus.com/sponsor/pen-test_050831 > -------------------------------------------------------------- > ----------------- > ------------------------------------------------------------------------ ------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ------------------------------------------------------------------------ ------- ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- RE: DNS ACL ?, (continued)
- RE: DNS ACL ? Giancarlo Paolillo (Nov 13)
- Re: DNS ACL ? Thor (Hammer of God) (Nov 13)
- Re: DNS ACL ? Richard C Lewis (Nov 13)
- Re: DNS ACL ? Chris Brenton (Nov 13)
- Re: DNS ACL ? Lynx (Nov 13)
- Re: DNS ACL ? Justin Ferguson (Nov 14)
- Re: DNS ACL ? John Nemeth (Nov 13)
- RE: DNS ACL ? Maher Odeh (Nov 13)
- FW: DNS ACL ? Dario Ciccarone (dciccaro) (Nov 21)
- RE: DNS ACL ? Kyle Quest (Nov 22)
- RE: DNS ACL ? Dario Ciccarone (dciccaro) (Nov 24)
- RE: DNS ACL ? Dario Ciccarone (dciccaro) (Nov 24)
- RE: DNS ACL ? John Hally (Nov 26)