Firewall Wizards mailing list archives
Re: Interesting DNS Traffic -Reply -Reply
From: "Ge' Weijers" <ge () progressive-systems com>
Date: Fri, 4 Jun 1999 10:22:19 -0400
On Thu, Jun 03, 1999 at 06:16:00PM +0100, Einar EINARSSON wrote:
OK, packet filters are not the definitive answers to network insecurity, there are weaknesses, etc. but still it won't hurt if I put a few of those in there, right ? So as try to put together the filtering rule for DNS flow, for example, and given that the idea of a packet filterng router is to open up as few ports as possible, and given that one of the few things useful in a packet header, for this purpose, are source and destination ports, how can I write the rule if some DNS lookups implementatons use one source port range and other use another port range ? I mean how on earth do you program a router under such circumstances ?
You can't pass DNS or any other UDPtraffic securely just using router ACLs. You will need more than that. The simplest way is to allow internal machines to query a DNS server on your DMZ, and to allow this server to proxy the queries. If you're using BIND you will only have to allow UDP packets with source _and_ destination port 53 through your external router and all outgoing connections to TCP port 53 to handle huge replies. If you are unable to install a DNS server on short notice you may want to enable your internal clients to query your ISP's DNS servers _only_. This will open you up to UDP attacks from your ISP's machines, but it's better than nothing. I use this trick to build a simple ACL for my laptop computer: I allow UDP packets from my machine to port 53 on dns1.<isp>.net and dns2.<isp>.net and vice versa, and I've blocked access to all the UDP services running (syslog mainly). Ge' -- - Ge' Weijers Voice: (614)326 4600 Progressive Systems, Inc. FAX: (614)326 4601 2000 West Henderson Rd. Suite 400, Columbus OH 43220
Current thread:
- Re: Interesting DNS Traffic The Unicorn (Jun 01)
- <Possible follow-ups>
- Re: Interesting DNS Traffic Robert Graham (Jun 01)
- Re: Interesting DNS Traffic Joseph S D Yao (Jun 02)
- Re: Interesting DNS Traffic Andrew Fessler (Jun 01)
- Re: Interesting DNS Traffic Ryan Russell (Jun 02)
- Re: Interesting DNS Traffic David Gillett (Jun 03)
- Re: Interesting DNS Traffic Vern Paxson (Jun 02)
- Re: Interesting DNS Traffic -Reply Einar EINARSSON (Jun 02)
- Re: Interesting DNS Traffic -Reply Ge' Weijers (Jun 03)
- Re: Interesting DNS Traffic -Reply -Reply Einar EINARSSON (Jun 03)
- Re: Interesting DNS Traffic -Reply -Reply Ge' Weijers (Jun 04)
- Re: Interesting DNS Traffic -Reply John McDermott (Jun 03)
- Re: Interesting DNS Traffic -Reply Chris Calabrese (Jun 03)