Re: Interesting DNS Traffic -Reply -Reply

["Ge' Weijers" <ge () progressive-systems com>]

On Thu, Jun 03, 1999 at 06:16:00PM +0100, Einar EINARSSON wrote:
> OK, packet filters are not the definitive answers to network
> insecurity, there are weaknesses, etc. but still it won't hurt if
> I put a few of those in there, right ? So as try to put together
> the filtering rule for DNS flow, for example, and given that the
> idea of a packet filterng router is to open up as few ports as
> possible, and given that one of the few things useful in a
> packet header, for this purpose, are source and destination
> ports, how can I write the rule if some DNS lookups
> implementatons use one source port range and other use
> another port range ? I mean how on earth do you program a
> router under such circumstances ? 

You can't pass DNS or any other UDPtraffic securely just using router
ACLs. You will need more than that. The simplest way is to allow
internal machines to query a DNS server on your DMZ, and to allow this
server to proxy the queries. If you're using BIND you will only have to
allow UDP packets with source _and_ destination port 53 through your
external router and all outgoing connections to TCP port 53 to handle
huge replies.

If you are unable to install a DNS server on short notice you may want
to enable your internal clients to query your ISP's DNS servers
_only_. This will open you up to UDP attacks from your ISP's machines,
but it's better than nothing.

I use this trick to build a simple ACL for my laptop computer: I allow
UDP packets from my machine to port 53 on dns1.<isp>.net and
dns2.<isp>.net and vice versa, and I've blocked access to all the UDP
services running (syslog mainly).

Ge'

-- 
-
Ge' Weijers                                Voice: (614)326 4600
Progressive Systems, Inc.                    FAX: (614)326 4601
2000 West Henderson Rd. Suite 400, Columbus OH 43220