Firewall Wizards mailing list archives
Re: terminal services
From: Paul Robertson <proberts () patriot net>
Date: Wed, 29 Jan 2003 17:09:29 -0500 (EST)
On Wed, 29 Jan 2003, Barney Wolff wrote:
This is just wrong - both bind's named and ntpd can be configured to send requests only from 53/123. ntpd does it by default; it's ntpdate that
Let's not forget that nailing DNS source ports to 53 reduces somewhat (though by a trivial ammount) resistance to blind spoofing attacks. For non-recursive resolvers, it may be a slight issue, since fewer packets gives a good chance to win a race. For recrusive resolvers, or resolvers doing resolution based on external factors (like e-mail,) it's probably not much of an issue to predict the query port. Cache poisoning attacks being easier certainly aren't a good thing, even if it's a very small bit easier. I think next time I have to build a network though, the mailserver's DNS will be seperate from the general populace's resolver. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: terminal services, (continued)
- RE: terminal services R. DuFresne (Jan 28)
- RE: terminal services Paul D. Robertson (Jan 28)
- Re: terminal services Barney Wolff (Jan 28)
- RE: firewall design (was: RE: terminal services ) m p (Jan 29)
- RE: terminal services R. DuFresne (Jan 28)
- RE: terminal services Paul D. Robertson (Jan 28)
- RE: terminal services R. DuFresne (Jan 28)
- Message not available
- RE: terminal services Marcus J. Ranum (Jan 28)
- Re: terminal services Barney Wolff (Jan 29)
- Re: terminal services Paul Robertson (Jan 29)
- Re: terminal services Barney Wolff (Jan 30)
- Re: DNS security (Was: re: terminal services) Mikael Olsson (Jan 31)