Firewall Wizards mailing list archives

Re: Does blocking TCP DNS packets keep your Bind safe?

From: Bill_Royds () pch gc ca
Date: Fri, 9 Mar 2001 10:25:22 -0500

Don Kendrick said:
     2. Most if not all "normal" queries needed by legit Internet traffic are
UDP.

This is not at all true. Nowadays, requests for DNS over TCP for large reverse
DNS lookups are very common. If you have a firewall that is verifying DNS for
logs etc. you will have a large number of TCP DNS lookups for multi hosted web
farms etc.

You can still block it, but you may miss a lot of useful information in a
security context.





Don Kendrick <don () netspys com> on 03/07/2001 04:09:01 PM
                                                              
                                                              
                                                              
 To:      firewall-wizards () nfr net                            
                                                              
 cc:      (bcc: Bill Royds/HullOttawa/PCH/CA)                 
                                                              
                                                              
                                                              
 Subject: [fw-wiz] Does blocking TCP DNS packets keep your    
          Bind safe?                                          
                                                              





OK, here I go again breaking things :)

Over the years I've argued about blocking icmp at the border routers. Steve
Bellovin et al would usually argue that it breaks path MTU, etc. I'd
usually argue that we can rely on path MTU being negotiated elsewhere in
the path (LAN vs. WAN bandwidth)...but I digress

Here's what I am suggesting:

1. We should all only do zone transfers (TCP) with known secondaries.

2. Most if not all "normal" queries needed by legit Internet traffic are UDP.

Why not just block port 53 TCP connections at the border routers except for
our secondaries. Is it possible to do a buffer overflow or other DNS/Bind
exploit via UDP? I don't know the answer, I'm asking.

Don



Don Kendrick, CNE, CCNA, GCIA, CISSP





_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Does blocking TCP DNS packets keep your Bind safe? Don Kendrick (Mar 09)
- Re: Does blocking TCP DNS packets keep your Bind safe? Gary Flynn (Mar 10)
- Re: Does blocking TCP DNS packets keep your Bind safe? M. Dodge Mumford (Mar 10)
- Re: Does blocking TCP DNS packets keep your Bind safe? David Lang (Mar 10)
- <Possible follow-ups>
- Does blocking TCP DNS packets keep your Bind safe? Don Kendrick (Mar 09)
  - Re: Does blocking TCP DNS packets keep your Bind safe? John Adams (Mar 10)
  - Re: Does blocking TCP DNS packets keep your Bind safe? Crist Clark (Mar 10)
  - Re: Does blocking TCP DNS packets keep your Bind safe? Jeff Sedayao (Mar 10)
  - Re: Does blocking TCP DNS packets keep your Bind safe? Andrew Huffer (Mar 10)
- Re: Does blocking TCP DNS packets keep your Bind safe? Bill_Royds (Mar 10)
- RE: Does blocking TCP DNS packets keep your Bind safe? Ben Nagy (Mar 11)
  - Re: Does blocking TCP DNS packets keep your Bind safe? Luca Berra (Mar 13)
  - RE: Does blocking TCP DNS packets keep your Bind safe? Todd (Mar 13)
    - Re: Does blocking TCP DNS packets keep your Bind safe? Darren Reed (Mar 14)
    - Re: Does blocking TCP DNS packets keep your Bind safe? Todd (Mar 14)
    - Re: Does blocking TCP DNS packets keep your Bind safe? Darren Reed (Mar 14)
- Re: Does blocking TCP DNS packets keep your Bind safe? Tony Rall (Mar 11)
- RE: Does blocking TCP DNS packets keep your Bind safe? brian . sommers (Mar 13)
- Re: Does blocking TCP DNS packets keep your Bind safe? Steven M. Bellovin (Mar 13)
- RE: Does blocking TCP DNS packets keep your Bind safe? Reckhard, Tobias (Mar 15)

(Thread continues...)