RE: Securing DNS Server

["Michael Vaughan" <list () predator-hunter com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Folks,

If I am not mistaken, the DNS server in the DMZ should be a SECONDARY
IE: a non-writable database.  Furthermore, the DNS server on your
internal network should be the primary giving ONLY appropriate
information regarding the location of external services. IE: not
allowing DNS zone transfers except from specific servers...etc. 
Essentially, the external DMZ server services external requests for
resolving services offered in the DMZ ONLY and the internal DNS
server (Primary) offers services to internal clients for resolving
outside sites & services.  My question is why would you be allowing
ANY outgoing connections from your DMZ DNS server to external root
servers other than what is on your site? If you have other services
located at other locations...you can add those to the DNS manually or
through zone transfer. I would propose that the DMZ DNS server should
ONLY resolve your DMZ services and no one else's. IE: Why would I
want someone using my DNS server externally to resolve yahoo?
Basically I am saying that if the service can not be resolved
externally to your site(s) then it should fail. Your internal DNS
server would service all of your internal clients and would not be
accessible from external sources period.  There are notable
exceptions depending on your requirements but am I missing the point
of your question?  I am assuming you have a DMZ and you are in NO WAY
allowing anyone to connect to your internal network directly.  Is
that correct?


- -Michael Vaughan
mvaughan () predator-hunter com
http://www.predator-hunter.com

The information contained in this message may contain privileged and
confidential information and is intended only for the internal
company use of the individual or entity named above.  If the reader
of this message is not the intended recipient, or the employee or
agent responsible to deliver it to the intended recipient, you are
hereby notified that any examination, distribution or copying of this
communication is strictly prohibited.  Furthermore, any and all
recipients of this message are prohibited from engaging in the
unauthorized dissemination of the information contained herein to
person(s) outside the company.   If you have received this
communication in error, please notify sender immediately. 

- -----Original Message-----
From: Naman Latif [mailto:naman.latif () inamed com] 
Sent: Friday, November 01, 2002 7:31 PM
To: security-basics
Subject: Securing DNS Server

Hi,
I am trying to restrict Access to our DNS Server from Outside using a
Cisco IOS Firewall. Initially we only had Port 53 Access to this
Server
from outside.
But it turned out that when our DNS Server has to query a root name
server, it sends out a UDP query with a random higher (>1023) source
port number, which means that I will have to open >1023 Ports access
to
this server from outside.
In this situtation How do I protect my DNS server from outside
attacks
on higher port numbers ?
Is there a range of Source Port numbers that a BIND DNS server would
use, when querying outside servers ?



-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4

iQA/AwUBPcbdZuqV6OTyHFF7EQJoPgCgxyxV0964WY3BFQAuj6VxxzXpZ3QAoKNc
zjic3/Q9TAzAe8FYYqGSt66i
=oLS0
-----END PGP SIGNATURE-----