Security Incidents mailing list archives
Re: DNS ports and scans
From: Abe Getchell <agetchel () KDE STATE KY US>
Date: Sun, 6 May 2001 01:28:54 -0400
Hi Jason, Stevens says, "When the resolver issues a query and the response comes back with the TC bit set ("truncated") it means the size of the response exceeded 512 bytes, so only the first 512 bytes were returned by the server. The resolver normally issues the request again, using TCP. This allows more than 512 bytes to be returned." Now when you mention 'blocking' it, I assume you're talking about blocking TCP 53 from external networks incoming to your internal network(s) with some sort of firewall device. So, if you have any host entries in which the data returned to resolver is greater than 512 bytes (fairly common for large round robin entries), then it could possibly break resolution or at least cripple functionality for some external users depending on how their DNR handles the absence of TCP DNS resolution. Thanks, Abe Abe L. Getchell - Security Engineer Division of System Support Services Kentucky Department of Education Voice 502-564-2020x225 E-mail agetchel () kde state ky us Web http://www.kde.state.ky.us/
-----Original Message----- From: Jason Lewis [mailto:jlewis () JASONLEWIS NET] Sent: Saturday, May 05, 2001 12:36 PM To: INCIDENTS () SECURITYFOCUS COM Subject: DNS ports and scans DNS queries are on UDP port 53. TCP port 53 is used for zone transfers. By blocking TCP port 53 I can't do zone transfers, but clients can still do lookups on UDP 53. Since I have blocked TCP port 53, I have seen a decrease in attack attempts on my name servers, primarily because that port isn't open. I do still see scans for the DNS ports, but nothing more than a port scan. My question is...Can anyone come up with any pros/cons of doing this? My name servers are successfully serving my domains, so I don't see a downside. Thoughts? Jason Lewis http://www.rivalpath.com "All you can do is manage the risks. There is no security."
Current thread:
- Re: DNS ports and scans Keith Owens (May 07)
- <Possible follow-ups>
- Re: DNS ports and scans Ryan Sweat (May 07)
- Re: DNS ports and scans Abe Getchell (May 07)
- Re: DNS ports and scans Valdis Kletnieks (May 07)
- Re: DNS ports and scans Frijole (May 14)
- Re: DNS ports and scans Crist Clark (May 14)
- RE: DNS ports and scans John Coke (May 15)