Penetration Testing mailing list archives
Re: DNS ACL ?
From: Richard C Lewis <mrlew1 () earthlink net>
Date: Sun, 13 Nov 2005 20:19:09 -0500
Whenever a DNS server returns a response of over 512 bytes it will set the Truncation bit to tell the requesting server to reissue the same query over a Virtual Circuit (TCP connection). This is normally seen with requests for web server information for large server farms. If you block TCP/53 to your DNS server you *MAY* not experience any problems, but the problems will likely occur on the requesting side of someone seeking your information. If you do not have a lot of systems with the same name on multiple IP addresses or multiple CNAMES or a large mail server farm you *MAY* come out okay. Just keep in mind that your DNS system will not be functioning the way it *should* be... but then we wouldn't have a need for security professionals if everything did what it *should*... You can limit your exposure by reducing who can perform zone transfers via the allow-transfer option and use the query-source option to control the port used for your outgoing queries. Coupled with router/firewall ACLs you can serious limit the TCP connections to your DNS server.
--- Begin Message --- From: John Hally <JHally () epnet com>
Date: Fri, 11 Nov 2005 08:35:06 -0500
Hello All, I need a sanity check regarding DNS ACLs. For external facing DNS servers you need to allow only udp/53 inbound, correct? I know tcp/53 is used for zone transfers and requests/replies greater than a certain size, but they shouldn't typically happen for general dns queries correct? Thanks in advance! ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
--- End Message ---
------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- DNS ACL ? John Hally (Nov 11)
- Re: DNS ACL ? Stephen J. Smoogen (Nov 13)
- RE: DNS ACL ? Jason Muskat (Nov 13)
- RE: DNS ACL ? Giancarlo Paolillo (Nov 13)
- Re: DNS ACL ? Thor (Hammer of God) (Nov 13)
- Re: DNS ACL ? Richard C Lewis (Nov 13)
- Re: DNS ACL ? Chris Brenton (Nov 13)
- Re: DNS ACL ? Lynx (Nov 13)
- Re: DNS ACL ? Justin Ferguson (Nov 14)
- <Possible follow-ups>
- Re: DNS ACL ? John Nemeth (Nov 13)
- RE: DNS ACL ? Maher Odeh (Nov 13)
- FW: DNS ACL ? Dario Ciccarone (dciccaro) (Nov 21)
- RE: DNS ACL ? Kyle Quest (Nov 22)
- RE: DNS ACL ? Dario Ciccarone (dciccaro) (Nov 24)
- RE: DNS ACL ? Dario Ciccarone (dciccaro) (Nov 24)
- RE: DNS ACL ? John Hally (Nov 26)