Firewall Wizards mailing list archives

Re: Does blocking TCP DNS packets keep your Bind safe?

From: Jeff Sedayao <sedayao () orpheus sc intel com>
Date: Fri, 9 Mar 2001 08:41:07 -0800 (PST)

OK, here I go again breaking things :)

Over the years I've argued about blocking icmp at the border routers. Steve 
Bellovin et al would usually argue that it breaks path MTU, etc. I'd 
usually argue that we can rely on path MTU being negotiated elsewhere in 
the path (LAN vs. WAN bandwidth)...but I digress

Here's what I am suggesting:

1. We should all only do zone transfers (TCP) with known secondaries.

 
I think that is a good idea.  Some people would argue that is all public 
information, but I prefer not to allow everyone to transfer..

2. Most if not all "normal" queries needed by legit Internet traffic are UDP.

Why not just block port 53 TCP connections at the border routers except for 
our secondaries. Is it possible to do a buffer overflow or other DNS/Bind 
exploit via UDP? I don't know the answer, I'm asking.

 
There are a couple of problems with this.

1.  If you have responses to queries that are really big, DNS uses UDP
for part of the answer and then switches to TCP.  It seems like a bad
idea to have records this big, but I have seen it happen.

2.  Under certain lossy network conditions, DNS switches to using TCP
for queries.  Note sure if that would really help, but that is what
happens.

3.  You want to register domains in certain country domains, namely
France (.fr) and the Netherlands (.nl).   In order to register, these
domains, the NIC's for those countries require TCP access on port 53 to
your name servers.  You can see for yourself with the .fr domain at
http://www.nic.fr/zonecheck/

Alternatively, you could close TCP port 53 to your name servers as long as you 
made sure that DNS records are a reasonable size and opened the port in
when you registered domains in Franche or the Netherlands.

Don


Don Kendrick, CNE, CCNA, GCIA, CISSP

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards



-- 
Jeff Sedayao
Intel Corporation
sedayao () orpheus sc intel com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Does blocking TCP DNS packets keep your Bind safe? Don Kendrick (Mar 09)
- Re: Does blocking TCP DNS packets keep your Bind safe? Gary Flynn (Mar 10)
- Re: Does blocking TCP DNS packets keep your Bind safe? M. Dodge Mumford (Mar 10)
- Re: Does blocking TCP DNS packets keep your Bind safe? David Lang (Mar 10)
- <Possible follow-ups>
- Does blocking TCP DNS packets keep your Bind safe? Don Kendrick (Mar 09)
  - Re: Does blocking TCP DNS packets keep your Bind safe? John Adams (Mar 10)
  - Re: Does blocking TCP DNS packets keep your Bind safe? Crist Clark (Mar 10)
  - Re: Does blocking TCP DNS packets keep your Bind safe? Jeff Sedayao (Mar 10)
  - Re: Does blocking TCP DNS packets keep your Bind safe? Andrew Huffer (Mar 10)
- Re: Does blocking TCP DNS packets keep your Bind safe? Bill_Royds (Mar 10)
- RE: Does blocking TCP DNS packets keep your Bind safe? Ben Nagy (Mar 11)
  - Re: Does blocking TCP DNS packets keep your Bind safe? Luca Berra (Mar 13)
  - RE: Does blocking TCP DNS packets keep your Bind safe? Todd (Mar 13)
    - Re: Does blocking TCP DNS packets keep your Bind safe? Darren Reed (Mar 14)
    - Re: Does blocking TCP DNS packets keep your Bind safe? Todd (Mar 14)
    - Re: Does blocking TCP DNS packets keep your Bind safe? Darren Reed (Mar 14)
- Re: Does blocking TCP DNS packets keep your Bind safe? Tony Rall (Mar 11)
- RE: Does blocking TCP DNS packets keep your Bind safe? brian . sommers (Mar 13)

(Thread continues...)