Security Incidents mailing list archives
Re: Large DNS scans from 211.53.208.178
From: kaos () OCS COM AU (Keith Owens)
Date: Sun, 7 May 2000 13:29:27 +1000
On Wed, 3 May 2000 19:28:01 -0400, Igor Gashinsky <pain () ROYAL NET> wrote:
It may be worth a try to log traffic to your DNS server, and see if everything is over UDP, and if it is, lock up 53/TCP. It would greatly improve the security of that machine.
Better still, allow all outgoing 53/TCP but only allow incoming 53/TCP when the ACK bit is set, i.e. if the packet is for an existing session. That way you can still use DNS over TCP to query servers which return large packets (you start the session) but nobody can access your DNS over TCP (they cannot start a session). This assumes that none of your DNS responses are large enough to require TCP. Don't forget to allow your external secondary name servers to access DNS over TCP, they need it for zone transfers.
Current thread:
- Re: Large DNS scans from 211.53.208.178, (continued)
- Re: Large DNS scans from 211.53.208.178 Fernando Cardoso (May 02)
- Re: Large DNS scans from 211.53.208.178 Russell Fulton (May 02)
- Re: Large DNS scans from 211.53.208.178 Ed Padin (May 02)
- Re: Large DNS scans from 211.53.208.178 Keith McCammon (May 03)
- Re: Large DNS scans from 211.53.208.178 David B. Bukowski (May 03)
- Re: Large DNS scans from 211.53.208.178 sigipp () WELLA COM BR (May 03)
- Re: Large DNS scans from 211.53.208.178 Seth Georgion (May 03)
- Re: Large DNS scans from 211.53.208.178 Greg A. Woods (May 08)
- Re: Large DNS scans from 211.53.208.178 Seth Georgion (May 03)
- Re: Large DNS scans from 211.53.208.178 Chen, Dave (May 03)
- Re: Large DNS scans from 211.53.208.178 Igor Gashinsky (May 03)
- Re: Large DNS scans from 211.53.208.178 Keith Owens (May 06)
- Re: Large DNS scans from 211.53.208.178 Fernando Cardoso (May 02)