Security Incidents mailing list archives
Re: Large DNS scans from 211.53.208.178
From: sysadmin () SASSPRODUCTIONS COM (Seth Georgion)
Date: Wed, 3 May 2000 23:35:12 -0400
I think one of the key strengths behind limiting TCP/53 through the firewall is the inability for attackers to use port 53 on inside machines. For instance if someone were to attack a web server with the RFP Data Access Components exploit and open up a port on 53 then they could navigate throught the firewall and consolidate control. Or if an employee turned on a remote control software and enabled it for 53. By specifiying TCP/53 DENY than you have pretty much stopped script-kiddie exploitation of that area. Also, not sure about this, but don't most canned BIND exploits rely on TCP/53 access? -----Original Message----- From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On Behalf Of sigipp () WELLA COM BR Sent: Wednesday, May 03, 2000 7:24 AM To: INCIDENTS () SECURITYFOCUS COM Subject: Re: Large DNS scans from 211.53.208.178 Hi Seth, I don´t think that disabling 53/tcp in firewall is always a good idea. Not all normal requests resp. the answers fit into a single udp packet (at least in IP v4). So if it does not fit, it will be requested/sent with tcp. Tcp is not only for zone transfers. I prefer another method: Setting up a "shadow domain", like it is described in "DNS and BIND" from Paul Albitz & Cricket Liu. Our official DNS has only three entries. So it does not make much difference in doing a zone transfer or making three requests. Normally the official DNS would only contain data for some well-known services (http, ftp, mail, dns) and may be completely different from the internal names and/or addresses. I think dividing the namespace into a "real" namespace without common access, and a very much restricted "shadow" namespace with free access for everyone adds more security than disallowing 53/tcp. And if you really need to restrict zone transfers, this is better done in the DNS server configuration. Nevertheless some byrocrats have decided to allow 53/tcp only for our secondary name server. I don´t think that it adds some security, for this address may be spoofed. Although it will be quite difficult to redirect or sniff the answer (no source routed packets allowed). Greetings from Rio de Janeiro Siegfried Gipp
Current thread:
- Re: Large DNS scans from 211.53.208.178, (continued)
- Re: Large DNS scans from 211.53.208.178 Bryan Seitz (Apr 30)
- Strange 33434/UDP traffic from MS W2k with Active Directory Eugene Taylashev (May 01)
- more weird traceroutes Donald McLachlan (May 02)
- Re: more weird traceroutes Chad Thunberg (May 02)
- Re: Large DNS scans from 211.53.208.178 Fernando Cardoso (May 02)
- Re: Large DNS scans from 211.53.208.178 Russell Fulton (May 02)
- Re: Large DNS scans from 211.53.208.178 Ed Padin (May 02)
- Re: Large DNS scans from 211.53.208.178 Keith McCammon (May 03)
- Re: Large DNS scans from 211.53.208.178 David B. Bukowski (May 03)
- Re: Large DNS scans from 211.53.208.178 sigipp () WELLA COM BR (May 03)
- Re: Large DNS scans from 211.53.208.178 Seth Georgion (May 03)
- Re: Large DNS scans from 211.53.208.178 Greg A. Woods (May 08)
- Re: Large DNS scans from 211.53.208.178 Seth Georgion (May 03)
- Re: Large DNS scans from 211.53.208.178 Chen, Dave (May 03)
- Re: Large DNS scans from 211.53.208.178 Igor Gashinsky (May 03)
- Re: Large DNS scans from 211.53.208.178 Keith Owens (May 06)