Security Incidents mailing list archives

Re: DNS ports and scans

From: Ryan Sweat <h3xm3 () SWBELL NET>
Date: Sat, 5 May 2001 23:54:31 -0500

iirc, the most recent bind exploit can exploit named through udp, so
blocking tcp may be a false sense of security, or security through
obscurity.   The best solution is to upgrade and not have to worry about
hiding vulnerable daemons behind a filter or firewall.

-ryan
----- Original Message -----
From: "Jason Lewis" <jlewis () JASONLEWIS NET>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Saturday, May 05, 2001 11:36 AM
Subject: DNS ports and scans

: DNS queries are on UDP port 53.  TCP port 53 is used for zone transfers.
By
: blocking TCP port 53 I can't do zone transfers, but clients can still do
: lookups on UDP 53.  Since I have blocked TCP port 53, I have seen a
decrease
: in attack attempts on my name servers, primarily because that port isn't
: open.  I do still see scans for the DNS ports, but nothing more than a
port
: scan.
:
: My question is...Can anyone come up with any pros/cons of doing this?
:
: My name servers are successfully serving my domains, so I don't see a
: downside.  Thoughts?
:
: Jason Lewis
: http://www.rivalpath.com
: "All you can do is manage the risks. There is no security."

Current thread:

Re: DNS ports and scans Keith Owens (May 07)
- <Possible follow-ups>
- Re: DNS ports and scans Ryan Sweat (May 07)
- Re: DNS ports and scans Abe Getchell (May 07)
- Re: DNS ports and scans Valdis Kletnieks (May 07)
- Re: DNS ports and scans Frijole (May 14)
  - Re: DNS ports and scans Crist Clark (May 14)
- RE: DNS ports and scans John Coke (May 15)