Security Incidents mailing list archives
Re: DNS ports and scans
From: "Frijole" <frijole () clas net>
Date: Mon, 14 May 2001 12:16:41 -0500
There is one major downside to blocking TCP port 53 - some Microsoft clients will not be able to do host lookups properly. I have seen this on NT 4.0 with OP4 installed. The SMTP service was polling the dns server using TCP, not UDP. Searching http://support.microsoft.com I found an obscure article (that I wish I had saved) which stated that according to the RFC, both TCP and UDP connections should be allowed on public DNS servers. Once I opened TCP, the SMTP was able to resolve properly and send messages. I have noticed in my DNS server log files that many of the NT boxes on our LAN do attempt to transfer zones, but I have not taken the time to investigate it. As transfers are *still* restricted on our DNS servers, we know that the NT box referenced above was not failing due to the inability to transfer a zone, but was using TCP instead of UDP to query the DNS server. Youn Gonzales System Administrator CLAS Net Inc. Comptia A+, Network+ Cisco CCNA Chicken is tasty.. ----- Original Message ----- From: "Eyes to the Skies." <sgtphou () fire-eyes yi org> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Saturday, May 05, 2001 3:18 PM Subject: Re: DNS ports and scans
Jason Lewis wrote:DNS queries are on UDP port 53. TCP port 53 is used for zone transfers.
By
blocking TCP port 53 I can't do zone transfers, but clients can still do lookups on UDP 53. Since I have blocked TCP port 53, I have seen a
decrease
in attack attempts on my name servers, primarily because that port isn't open. I do still see scans for the DNS ports, but nothing more than a
port
scan. My question is...Can anyone come up with any pros/cons of doing this? My name servers are successfully serving my domains, so I don't see a downside. Thoughts?Well, I run a cacheing DNS server, only for myself. I was always wondering how to stop it from listeing on my ppp (outside world) interface, since no one on the outside needs to connect to me. I firewalled as well. Today i figured out how to keep it listening only on the IPs/interfaces you want. I have a dial up box here, which runs the dns server. I have another box that is NAT'd as well. Anyway here's how i got it to listen only on 127.0.0.1 and 192.168.0.1 : in /etc/named.conf (this is bind8): in the options section: listen-on { 127.0.0.1; 192.168.0.1; }; So now, it doesn't even bother to listen on the ouside world (ppp0). Other thoughts, if you do need it open to the outside world, would be to have it use a different listen port. Anything other than 53. -- http://c64.arcsnet.net/ ICQ UIN 1551505 "The things you own, they end up owning you." - Tylder Durden
Current thread:
- Re: DNS ports and scans Keith Owens (May 07)
- <Possible follow-ups>
- Re: DNS ports and scans Ryan Sweat (May 07)
- Re: DNS ports and scans Abe Getchell (May 07)
- Re: DNS ports and scans Valdis Kletnieks (May 07)
- Re: DNS ports and scans Frijole (May 14)
- Re: DNS ports and scans Crist Clark (May 14)
- RE: DNS ports and scans John Coke (May 15)