Firewall Wizards mailing list archives

Does blocking TCP DNS packets keep your Bind safe?

From: Don Kendrick <don () netspys com>
Date: Wed, 07 Mar 2001 16:09:01 -0500

OK, here I go again breaking things :)

Over the years I've argued about blocking icmp at the border routers. SteveBellovin et al would usually argue that it breaks path MTU, etc. I'dusually argue that we can rely on path MTU being negotiated elsewhere inthe path (LAN vs. WAN bandwidth)...but I digress


Here's what I am suggesting:

1. We should all only do zone transfers (TCP) with known secondaries.

2. Most if not all "normal" queries needed by legit Internet traffic are UDP.

Why not just block port 53 TCP connections at the border routers except forour secondaries. Is it possible to do a buffer overflow or other DNS/Bindexploit via UDP? I don't know the answer, I'm asking.


Don



Don Kendrick, CNE, CCNA, GCIA, CISSP

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Does blocking TCP DNS packets keep your Bind safe? Don Kendrick (Mar 09)
- Re: Does blocking TCP DNS packets keep your Bind safe? Gary Flynn (Mar 10)
- Re: Does blocking TCP DNS packets keep your Bind safe? M. Dodge Mumford (Mar 10)
- Re: Does blocking TCP DNS packets keep your Bind safe? David Lang (Mar 10)
- <Possible follow-ups>
- Does blocking TCP DNS packets keep your Bind safe? Don Kendrick (Mar 09)
  - Re: Does blocking TCP DNS packets keep your Bind safe? John Adams (Mar 10)
  - Re: Does blocking TCP DNS packets keep your Bind safe? Crist Clark (Mar 10)
  - Re: Does blocking TCP DNS packets keep your Bind safe? Jeff Sedayao (Mar 10)
  - Re: Does blocking TCP DNS packets keep your Bind safe? Andrew Huffer (Mar 10)
- Re: Does blocking TCP DNS packets keep your Bind safe? Bill_Royds (Mar 10)
- RE: Does blocking TCP DNS packets keep your Bind safe? Ben Nagy (Mar 11)

(Thread continues...)