FW: DNS ACL ?

["Dario Ciccarone (dciccaro)" <dciccaro () cisco com>]

 Guess moderation doesn't work sometimes.

Hi! This is the ezmlm program. I'm managing the
pen-test () securityfocus com mailing list.

I'm working for my owner, who can be reached
at pen-test-owner () securityfocus com.

I'm sorry, the list moderators for the pen-test list
have failed to act on your post. Thus, I'm returning it to you.
If you feel that this is in error, please repost the message
or contact a list moderator directly.

--- Enclosed, please find the message you sent.

-----Original Message-----
From: Dario Ciccarone (dciccaro) 
Sent: Saturday, November 12, 2005 12:26 AM
To: John Hally; pen-test () securityfocus com
Subject: RE: DNS ACL ?

Yup.

RFC-1035 specifies that DNS queries should use UDP as transport - and
queries are sent to the DNS server IP address, port 53. If the server
finds that the answer section is > 512 bytes, it should reply with at
most 512 bytes and set the TC bit in the answer. Is up to the host
performing the query to retry it using TCP. Check section '4.2.
Transport' on the RFC.

RFC-2671 ('Extension Mechanisms for DNS (EDNS0)') updates RFC-2671 and
allows for packet sizes > 512 when using UDP as transport. 

A reference from MS: http://support.microsoft.com/kb/828263

Some queries that might exceed the 512-byte size are those like, for
example, www.microsoft.com or www.yahoo.com, due to the number of A
records returned.

So, you will probably be OK with only allowing 53/udp to your DNS
server.

Thanks,
Dario



> -----Original Message-----
> From: John Hally [mailto:JHally () epnet com] 
> Sent: Friday, November 11, 2005 8:35 AM
> To: 'pen-test () securityfocus com'
> Subject: DNS ACL ?
>
> Hello All,
>
>  
>
> I need a sanity check regarding DNS ACLs.  For external 
> facing DNS servers
> you need to allow only udp/53 inbound, correct?  I know 
> tcp/53 is used for
> zone transfers and requests/replies greater than a certain 
> size, but they
> shouldn't typically happen for general dns queries correct?  
>
>  
>
> Thanks in advance!
>
>
>
> --------------------------------------------------------------
> ----------------
> Audit your website security with Acunetix Web Vulnerability Scanner: 
>
> Hackers are concentrating their efforts on attacking 
> applications on your 
> website. Up to 75% of cyber attacks are launched on shopping 
> carts, forms, 
> login pages, dynamic content etc. Firewalls, SSL and 
> locked-down servers are 
> futile against web application hacking. Check your website 
> for vulnerabilities 
> to SQL injection, Cross site scripting and other web attacks 
> before hackers do! 
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> --------------------------------------------------------------
> -----------------

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------