[Dshield] UDP packets dropped from DNS server
Johannes B. Ullrich
jullrich at euclidian.com
Mon Oct 29 01:04:19 GMT 2001
-----BEGIN PGP SIGNED MESSAGE-----
> >Thank-you, John. To prevent the poor server's developing an
> >inferiority complex, shall I just open port 9318 on my firewall?
> >Or will I then compromise security? And, assuming that you are
> >a busy person, where shall I look to educate myself as to the
> >best solution so as to discontinue nagging you for answers?
> What're you using for your firewall? As Gary suggested, your firewall
> may be timing out before the DNS server is responding.
Its very much a question of the type of firewall you are using:
For a state full firewall, The 'timeout' is the likely problem. Increasing
the timeout is tricky and not without drawbacks. Firstly, the kernel may
need to track a larger number of 'dead' connections, and the window for an
attacker to send a spoofed reply increases (not a big risk, but it
More likely, you have a non-stateful firewall. In this case, you need to
allow all replies from your ISPs DNS that originate from port 53 (the
target port on your end will change). In some cases, if you use BIND for
example, you can fix the local port that is used to ask questions.
Don't just open your firewall to packets from port 53. It is a common
misconfiguration and used by many port scan tools. Rather, limit the
number of IPs that you allow in to trusted IPs (your ISPs name servers).
jullrich at sans.org Join http://www.DShield.org
Distributed Intrusion Detection System
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----
More information about the list