Re: terminal services

[Paul Robertson <proberts () patriot net>]

On Wed, 29 Jan 2003, Barney Wolff wrote:

> This is just wrong - both bind's named and ntpd can be configured to send
> requests only from 53/123.  ntpd does it by default; it's ntpdate that

Let's not forget that nailing DNS source ports to 53 reduces somewhat 
(though by a trivial ammount) resistance to blind spoofing attacks. 

For non-recursive resolvers, it may be a slight issue, since fewer packets 
gives a good chance to win a race.  For recrusive resolvers, or resolvers 
doing resolution based on external factors (like e-mail,) it's probably 
not much of an issue to predict the query port.  Cache poisoning attacks 
being easier certainly aren't a good thing, even if it's a very small bit 
easier.

I think next time I have to build a network though, the mailserver's DNS 
will be seperate from the general populace's resolver.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards