[unisog] DNS over TCP should we block

Pascal Meunier pmeunier at cerias.purdue.edu
Tue Jan 4 20:58:10 GMT 2005


The threats that the original poster may want to avoid should be discussed;
without this discussion, it's not possible to say whether blocking DNS over
TCP (from where to where?) is the best way to mitigate them.  If zone
transfers are the threat in question:

-"It is better to use named.conf to control zone transfers... (than)
firewalling tcp" ( 
http://www.secinf.net/unix_security/Linux_Administrators_Security_Guide/Linu
x_Administrators_Security_Guide__Network_services__DNS.html)

OR

-" The risk that zone transfers pose may be reduced by incorporating a
split-DNS architecture. Split-DNS uses a DNS domain server for publicly
reachable services within the DMZ, and a DNS domain server for the private
internal network [7,8]"
http://www.whitehats.ca/main/members/Jeff/jeff_dns_security/jeff_dns_securit
y.html

So there are other ways to address this than blocking DNS over TCP.

Cheers,
Pascal Meunier
Purdue University CERIAS

On 1/4/05 3:15 PM, "Reg Quinton" <reggers at ist.uwaterloo.ca> wrote:

>> DNS over TCP should be permitted, in both directions.  Some things
>> will break if you do not allow it.
> 
> I'll disagree.
> 
> Assuming your clients are configured to use campus name servers there's no
> need to open DNS over TCP (and UDP) to everyone -- constrain it to just your
> campus DNS name servers.
> 
> If you allow DNS over TCP and UDP to everyone then you can expect bad guys
> to exploit that. 
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
> 





More information about the unisog mailing list