Security Basics mailing list archives

Re: Securing DNS Server

From: Bennett Todd <bet () rahul net>
Date: Tue, 5 Nov 2002 15:41:49 -0500

2002-11-05-14:36:41 Naman Latif:

Try adding this to named.conf:

options {
     query-source address * port 53;
};
++++++++++++++++++++++++++++++++++

Which would have the originating queries only from Port 53, thus making
it easier to implement in the firewall.


It may make it easier to firewall, but it's got other consequences.

It may, depending on the implementation in the server, limit the
server to one outstanding query at a time, which would only be
acceptable for exceptionally low-volume servers (home servers,
perhaps). Or it may cause all concurrent queries to share the same
src port, rather than being issued distinct src ports, which would
have the consequence that it would be much, much easier to forge a
reply packet and send it to the server to poison its cache.

Either way, the consequence may, perhaps, be worse than just
allowing incoming UDP to a wide range of ports on the DNS server.

It really comes down to a question of whether you can harden that
server adequately.

-Bennett

Attachment: _bin
Description:

Current thread:

Securing DNS Server Naman Latif (Nov 04)
- RE: Securing DNS Server Michael Vaughan (Nov 05)
- RE: Securing DNS Server Daniel Miessler (Nov 05)
- Re: Securing DNS Server Bennett Todd (Nov 08)
- <Possible follow-ups>
- RE: Securing DNS Server Naman Latif (Nov 05)
  - RE: Securing DNS Server Steven Schullo (Nov 06)
- RE: Securing DNS Server Mustafa Baig (Nov 06)
- RE: Securing DNS Server Naman Latif (Nov 06)
  - Re: Securing DNS Server Bennett Todd (Nov 06)