[Dshield] UDP packets dropped from DNS server

Johannes B. Ullrich jullrich at euclidian.com
Mon Oct 29 01:04:19 GMT 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> >Thank-you, John. To prevent the poor server's developing an
> >inferiority complex, shall I just open port 9318 on my firewall?
> >Or will I then compromise security? And, assuming that you are
> >a busy person, where shall I look to educate myself as to the
> >best solution so as to discontinue nagging you for answers?
> 
> What're you using for your firewall? As Gary suggested, your firewall 
> may be timing out before the DNS server is responding.

Its very much a question of the type of firewall you are using:

For a state full firewall, The 'timeout' is the likely problem. Increasing 
the timeout is tricky and not without drawbacks. Firstly, the kernel may 
need to track a larger number of 'dead' connections, and the window for an 
attacker to send a spoofed reply increases (not a big risk, but it 
exists).

More likely, you have a non-stateful firewall. In this case, you need to 
allow all replies from your ISPs DNS that originate from port 53 (the 
target port on your end will change). In some cases, if you use BIND for 
example, you can fix the local port that is used to ask questions.

Don't just open your firewall to packets from port 53. It is a common 
misconfiguration and used by many port scan tools. Rather, limit the 
number of IPs that you allow in to trusted IPs (your ISPs name servers).





- -- 
- -------
jullrich at sans.org                    Join http://www.DShield.org
                          Distributed Intrusion Detection System

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE73KsUVOIizK5pIDMRAhDfAJ40HRMr++PC217sLOWawtAsTvUBQQCg0d5x
QJK+C4juIXWN+xvrTEnf+z8=
=Tnmm
-----END PGP SIGNATURE-----




More information about the list mailing list