Security Incidents mailing list archives
Re: DNS ports and scans
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Mon, 7 May 2001 10:39:19 -0400
On Sat, 05 May 2001 12:36:05 EDT, Jason Lewis <jlewis () JASONLEWIS NET> said:
lookups on UDP 53. Since I have blocked TCP port 53, I have seen a decrease in attack attempts on my name servers, primarily because that port isn't open. I do still see scans for the DNS ports, but nothing more than a port scan. My question is...Can anyone come up with any pros/cons of doing this?
One downside: A proper DNS setup has at least one off-site secondary (as Microsoft found out a while ago when all 4 of their DNS servers got cut off because they were in the same subnet). Make sure you punch a hole in the block for your secondaries. Also, if you have a hosts that has a long list of records, and the packet ends up being more than 512 bytes long, it will end up using TCP. This may not be an issue if you don't have such DNS entries yourself. Make sure you also Do The Right Thing if you have to open an *outbound* connection to somebody else's port 53 because *they* have a long list and you're trying to talk to them. -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
Attachment:
_bin
Description:
Current thread:
- Re: DNS ports and scans Keith Owens (May 07)
- <Possible follow-ups>
- Re: DNS ports and scans Ryan Sweat (May 07)
- Re: DNS ports and scans Abe Getchell (May 07)
- Re: DNS ports and scans Valdis Kletnieks (May 07)
- Re: DNS ports and scans Frijole (May 14)
- Re: DNS ports and scans Crist Clark (May 14)
- RE: DNS ports and scans John Coke (May 15)