[Dshield] Help: DNS (53)

Brian Dessent brian at dessent.net
Wed Dec 31 17:06:43 GMT 2003


David Hart wrote:
> 
> We're using bind solely as a caching name server.
> 
> Correct me if I'm wrong but the only connects that I need to accept
> would be UDP to 53 from root servers. Right?

No, you get DNS replies from each individual DNS server.  The root
servers don't tell you anything, they just tell you who to ask next for
the correct answer.  For example, to resolve dshield.org, the following
takes place:

$ dig +trace dshield.org
.                       280072 IN NS a.root-servers.net.
.                       280072 IN NS b.root-servers.net.
.                       280072 IN NS c.root-servers.net.
.                       280072 IN NS d.root-servers.net.
.                       280072 IN NS e.root-servers.net.
.                       280072 IN NS f.root-servers.net.
.                       280072 IN NS g.root-servers.net.
.                       280072 IN NS h.root-servers.net.
.                       280072 IN NS i.root-servers.net.
.                       280072 IN NS j.root-servers.net.
.                       280072 IN NS k.root-servers.net.
.                       280072 IN NS l.root-servers.net.
.                       280072 IN NS m.root-servers.net.
;; Received 356 bytes from 127.0.0.1#53(127.0.0.1) in 20 ms

org.                    172800 IN NS TLD1.ULTRADNS.NET.
org.                    172800 IN NS TLD2.ULTRADNS.NET.
;; Received 111 bytes from 198.41.0.4#53(a.root-servers.net) in 140 ms

dshield.org.            86400 IN NS ns2.homepc.org.
dshield.org.            86400 IN NS ns2.giac.net.
dshield.org.            86400 IN NS ns1.homepc.org.
dshield.org.            86400 IN NS ns1.giac.net.
;; Received 148 bytes from 204.74.112.1#53(TLD1.ULTRADNS.NET) in 90 ms

dshield.org.            3600 IN A 65.173.218.101
dshield.org.            3600 IN NS ns2.giac.net.
dshield.org.            3600 IN NS ns2.homepc.org.
dshield.org.            3600 IN NS ns1.giac.net.
dshield.org.            3600 IN NS ns1.homepc.org.
;; Received 132 bytes from 68.166.125.210#53(ns2.homepc.org) in 130 ms


As you can see, it first queried the root server (a.root-servers.net),
which told you to ask TLD1.ULTRADNS.NET for .org queries, who in turn
told you to ask ns2.homepc.org for dshield.org queries, who in turn
returned the answer to "who is dshield.org".  So you have to accept DNS
packets from any source.

Brian




More information about the list mailing list