Re: DNS ports and scans

["Frijole" <frijole () clas net>]

There is one major downside to blocking TCP port 53 - some Microsoft clients
will not be able to do host lookups properly. I have seen this on NT 4.0
with OP4 installed. The SMTP service was polling the dns server using TCP,
not UDP. Searching http://support.microsoft.com I found an obscure article
(that I wish I had saved) which stated that according to the RFC, both TCP
and UDP connections should be allowed on public DNS servers. Once I opened
TCP, the SMTP was able to resolve properly and send messages.

I have noticed in my DNS server log files that many of the NT boxes on our
LAN do attempt to transfer zones, but I have not taken the time to
investigate it. As transfers are *still* restricted on our DNS servers, we
know that the NT box referenced above was not failing due to the inability
to transfer a zone, but was using TCP instead of UDP to query the DNS
server.


Youn Gonzales
System Administrator
CLAS Net Inc.
Comptia A+, Network+
Cisco CCNA
Chicken is tasty..


----- Original Message -----
From: "Eyes to the Skies." <sgtphou () fire-eyes yi org>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Saturday, May 05, 2001 3:18 PM
Subject: Re: DNS ports and scans


> Jason Lewis wrote:
> > DNS queries are on UDP port 53.  TCP port 53 is used for zone transfers.
By
> > blocking TCP port 53 I can't do zone transfers, but clients can still do
> > lookups on UDP 53.  Since I have blocked TCP port 53, I have seen a
decrease
> > in attack attempts on my name servers, primarily because that port isn't
> > open.  I do still see scans for the DNS ports, but nothing more than a
port
> > scan.
> >
> > My question is...Can anyone come up with any pros/cons of doing this?
> >
> > My name servers are successfully serving my domains, so I don't see a
> > downside.  Thoughts?
>
> Well, I run a cacheing DNS server, only for myself. I was always
> wondering how to stop it from listeing on my ppp (outside world)
> interface, since no one on the outside needs to connect to me. I
> firewalled as well.
>
> Today i figured out how to keep it listening only on the IPs/interfaces
> you want.
>
> I have a dial up box here, which runs the dns server. I have another box
> that is NAT'd as well. Anyway here's how i got it to listen only on
> 127.0.0.1 and 192.168.0.1 :
>
> in /etc/named.conf (this is bind8):
>
> in the options section:
>
> listen-on { 127.0.0.1; 192.168.0.1; };
>
> So now, it doesn't even bother to listen on the ouside world (ppp0).
>
> Other thoughts, if you do need it open to the outside world, would be to
> have it use a different listen port. Anything other than 53.
> --
>
>  http://c64.arcsnet.net/
>  ICQ UIN 1551505
>  "The things you own, they end up owning you." - Tylder Durden