Security Advisory on TCP connections to DNS
Fri, 11 Jan 2002 13:04:58 +0000
Content-Type: text/plain; charset=us-ascii
> i just had a flashback that some people sometime ago suggested opening
> port 53 for TCP to the world.
Probably because it's required in order that the DNS will work properly.
(It is a good idea to block 53/TCP and 53/UDP for all except your
> - DNS Requests/Replies are using UDP on port 53, which is okay, we need to
> enable communication on the router/fw to the DNS server.
> - DNS zone transfer are using TCP on port 53, which is *ONLY* for
> secondary/tertiary/... DNS servers, that need to have a complete copy of
> the defined zones.
Nope. Any query can be made using TCP, though resolvers will usually try
UDP first and retry with TCP if the answer didn't fit.
> - Configure your DNS server to do zone transfers *ONLY* to the trusted
> DNS servers.
That (arguably) makes sense. While you're at it, configure them not to
allow outsiders to do recursive queries.
> - Configure your firewall to allow TCP port 53 traffic only from those
> trusted DNS servers. Other connections should be logged and considered
> as potential recon against your net.
Nope. Other connections are quite likely to be legitimate queries.
>... and then look for valueable information such as NS, MX, A records
> HINFO records, and so on.
The zone is unlikely to work at all unless some information is public.
> it's better and faster than using scanning tools like nmap or so.
Experience will vary, but from our point of view it looks as though
directed scans have gone out of fashion (even nameservers and web servers,
which used to be popular targets). Most of what we see nowadays consists
of complete scans of our address space for particular vulnerabilities (ssh
is flavour of the month) or apparently-random probes.
Dr George D M Ross, Division of Informatics, University of Edinburgh
Kings Buildings, Mayfield Road, Edinburgh, Scotland, EH9 3JZ
Mail: email@example.com Voice: +44 131 650 5147 Fax: +44 131 667 7209
PGP DSA: 1024/AD758CC5 B91E D430 1E0D 5883 EF6A 426C B676 5C2B AD75 8CC5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Exmh version 2.3.1 01/18/2001
-----END PGP SIGNATURE-----