Security Advisory on TCP connections to DNS

George Ross gdmr@dcs.ed.ac.uk
Fri, 11 Jan 2002 13:04:58 +0000 

--==_Exmh_1899110798P
Content-Type: text/plain; charset=us-ascii

> i just had a flashback that some people sometime ago suggested opening
> port 53 for TCP to the world.

Probably because it's required in order that the DNS will work properly.
(It is a good idea to block 53/TCP and 53/UDP for all except your 
nameservers.)

> - DNS Requests/Replies are using UDP on port 53, which is okay, we need to
>   enable communication on the router/fw to the DNS server.

Not necessarily.

> - DNS zone transfer are using TCP on port 53, which is *ONLY* for
>   secondary/tertiary/... DNS servers, that need to have a complete copy of
>   the defined zones.

Nope.  Any query can be made using TCP, though resolvers will usually try 
UDP first and retry with TCP if the answer didn't fit.

> - Configure your DNS server to do zone transfers *ONLY* to the trusted
>   DNS servers.

That (arguably) makes sense.  While you're at it, configure them not to 
allow outsiders to do recursive queries.

> - Configure your firewall to allow TCP port 53 traffic only from those
>   trusted DNS servers. Other connections should be logged and considered
>   as potential recon against your net.

Nope.  Other connections are quite likely to be legitimate queries.

>... and then look for valueable information such as NS, MX, A records
> HINFO records, and so on.

The zone is unlikely to work at all unless some information is public.

> it's better and faster than using scanning tools like nmap or so.

Experience will vary, but from our point of view it looks as though 
directed scans have gone out of fashion (even nameservers and web servers, 
which used to be popular targets).  Most of what we see nowadays consists 
of complete scans of our address space for particular vulnerabilities (ssh 
is flavour of the month) or apparently-random probes.
-- 
Dr George D M Ross, Division of Informatics, University of Edinburgh
     Kings Buildings, Mayfield Road, Edinburgh, Scotland, EH9 3JZ
Mail: gdmr@dcs.ed.ac.uk   Voice: +44 131 650 5147   Fax: +44 131 667 7209
PGP DSA: 1024/AD758CC5 B91E D430 1E0D 5883 EF6A  426C B676 5C2B AD75 8CC5



--==_Exmh_1899110798P
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Exmh version 2.3.1 01/18/2001

iD8DBQE8PuL6tnZcK611jMURAkrRAKCumFdFlaE0VDrjI0f/nMR/CCR/rwCfcL3S
nYNuiCBnnsIm+jyMS0fbmfw=
=TBrt
-----END PGP SIGNATURE-----

--==_Exmh_1899110798P--