Security Incidents mailing list archives

Re: DNS ports and scans

From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Mon, 7 May 2001 10:39:19 -0400

On Sat, 05 May 2001 12:36:05 EDT, Jason Lewis <jlewis () JASONLEWIS NET>  said:

lookups on UDP 53.  Since I have blocked TCP port 53, I have seen a decrease
in attack attempts on my name servers, primarily because that port isn't
open.  I do still see scans for the DNS ports, but nothing more than a port
scan.

My question is...Can anyone come up with any pros/cons of doing this?


One downside:  A proper DNS setup has at least one off-site secondary (as
Microsoft found out a while ago when all 4 of their DNS servers got cut
off because they were in the same subnet).  Make sure you punch a hole
in the block for your secondaries.

Also, if you have a hosts that has a long list of records, and the packet
ends up being more than 512 bytes long, it will end up using TCP.  This
may not be an issue if you don't have such DNS entries yourself.  Make sure
you also Do The Right Thing if you have to open an *outbound* connection
to somebody else's port 53 because *they* have a long list and you're trying
to talk to them.
--
                                Valdis Kletnieks
                                Operating Systems Analyst
                                Virginia Tech

Attachment: _bin
Description:

Current thread:

Re: DNS ports and scans Keith Owens (May 07)
- <Possible follow-ups>
- Re: DNS ports and scans Ryan Sweat (May 07)
- Re: DNS ports and scans Abe Getchell (May 07)
- Re: DNS ports and scans Valdis Kletnieks (May 07)
- Re: DNS ports and scans Frijole (May 14)
  - Re: DNS ports and scans Crist Clark (May 14)
- RE: DNS ports and scans John Coke (May 15)