RE: DNS ACL ?

["Kyle Quest" <Kyle.Quest () networkengines com>]

-----Original Message-----
From: Dario Ciccarone (dciccaro) [mailto:dciccaro () cisco com]
Sent: Thursday, November 17, 2005 3:07 AM
To: pen-test () securityfocus com
Subject: FW: DNS ACL ?


> RFC-2671 ('Extension Mechanisms for DNS (EDNS0)') updates RFC-2671 and
> allows for packet sizes > 512 when using UDP as transport. 
>
> A reference from MS: http://support.microsoft.com/kb/828263
>
> Some queries that might exceed the 512-byte size are those like, for
> example, www.microsoft.com or www.yahoo.com, due to the number of A
> records returned.
>
> So, you will probably be OK with only allowing 53/udp to your DNS
> server.

That's not always true. Yes, DNS extensions have a mechanism to
increase the UDP message size. However, both sides (clients and servers)
are involved in the process of negotiating those big messages.
Not all DNS clients automatically try to negotiate bigger UDP
messages. The same goes for DNS servers. And there's always security
devices somewhere on the network that may not allow those extensions...
either by stripping or disallowing the udp message size option or
simply by ignoring (/not understanding) them. My recommendation is
to not rely on any extended DNS functionality.

Kyle

 

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------