[unisog] DNS over TCP should we block

Vijay S Sarvepalli VSSARVEP VSSARVEP at uncg.edu
Tue Jan 4 22:05:07 GMT 2005


All

Thanks for all the opinions. 
A) First problem:  I was thinking of blocking outgoing DNS over TCP from 
my servers as you know less services allowed through the firewall
less trouble to worry about.  If I open it up, it has to be for the whole 
world, as I cannot determine which are valid nameservers.. I also can set
the DNS query-source port in UDP to be specific.  Fr e.g 
query-source * 10000;

Then one firewall rule for 
MY IP (UDP 10000) => ANY (UDP 53) 

Will give a fairly tight rule.  As NAMED is listening on 10000 (or 
whatever), nobody else can exploit that port.  Whereas TCP will use any 
1023+ port
and anybody can run a netcat relay if my box carefully accessed. 

A Longer picture of dropping DNS over TCP (even inbound):

Here is the reason for looking at DNS over TCP incoming as a possible 
threat: 

1) Our dns records have never needed a virtual circuit (this means most 
replies to queries have been small enough) - if it is not needed why allow 
it is my first thought
2) Zone transfer is already denied by default with "allow-transfer { none; 
};" and specific allow statements for each zone.  Zone transfer is NOT the 
threat being addressed.  There is also TSIG option for this. 
3)  DOS attack on TCP port 53.

I do value your opinions guys/gals.. so speak on.

Vijay






Pascal Meunier <pmeunier at cerias.purdue.edu> 
Sent by: unisog-bounces at lists.sans.org
01/04/2005 03:58 PM
Please respond to
UNIversity Security Operations Group <unisog at lists.sans.org>


To
UNIversity Security Operations Group <unisog at lists.sans.org>
cc

Subject
Re: [unisog] DNS over TCP should we block






The threats that the original poster may want to avoid should be 
discussed;
without this discussion, it's not possible to say whether blocking DNS 
over
TCP (from where to where?) is the best way to mitigate them.  If zone
transfers are the threat in question:

-"It is better to use named.conf to control zone transfers... (than)
firewalling tcp" ( 
http://www.secinf.net/unix_security/Linux_Administrators_Security_Guide/Linu

x_Administrators_Security_Guide__Network_services__DNS.html)

OR

-" The risk that zone transfers pose may be reduced by incorporating a
split-DNS architecture. Split-DNS uses a DNS domain server for publicly
reachable services within the DMZ, and a DNS domain server for the private
internal network [7,8]"
http://www.whitehats.ca/main/members/Jeff/jeff_dns_security/jeff_dns_securit

y.html

So there are other ways to address this than blocking DNS over TCP.

Cheers,
Pascal Meunier
Purdue University CERIAS

On 1/4/05 3:15 PM, "Reg Quinton" <reggers at ist.uwaterloo.ca> wrote:

>> DNS over TCP should be permitted, in both directions.  Some things
>> will break if you do not allow it.
> 
> I'll disagree.
> 
> Assuming your clients are configured to use campus name servers there's 
no
> need to open DNS over TCP (and UDP) to everyone -- constrain it to just 
your
> campus DNS name servers.
> 
> If you allow DNS over TCP and UDP to everyone then you can expect bad 
guys
> to exploit that. 
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
> 


_______________________________________________
unisog mailing list
unisog at lists.sans.org
http://www.dshield.org/mailman/listinfo/unisog

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/unisog/attachments/20050104/9eb7e684/attachment.htm


More information about the unisog mailing list