[Dshield] Help: DNS (53)

Brian Dessent brian at dessent.net
Wed Dec 31 17:06:43 GMT 2003

David Hart wrote:
> We're using bind solely as a caching name server.
> Correct me if I'm wrong but the only connects that I need to accept
> would be UDP to 53 from root servers. Right?

No, you get DNS replies from each individual DNS server.  The root
servers don't tell you anything, they just tell you who to ask next for
the correct answer.  For example, to resolve dshield.org, the following
takes place:

$ dig +trace dshield.org
.                       280072 IN NS a.root-servers.net.
.                       280072 IN NS b.root-servers.net.
.                       280072 IN NS c.root-servers.net.
.                       280072 IN NS d.root-servers.net.
.                       280072 IN NS e.root-servers.net.
.                       280072 IN NS f.root-servers.net.
.                       280072 IN NS g.root-servers.net.
.                       280072 IN NS h.root-servers.net.
.                       280072 IN NS i.root-servers.net.
.                       280072 IN NS j.root-servers.net.
.                       280072 IN NS k.root-servers.net.
.                       280072 IN NS l.root-servers.net.
.                       280072 IN NS m.root-servers.net.
;; Received 356 bytes from in 20 ms

org.                    172800 IN NS TLD1.ULTRADNS.NET.
org.                    172800 IN NS TLD2.ULTRADNS.NET.
;; Received 111 bytes from in 140 ms

dshield.org.            86400 IN NS ns2.homepc.org.
dshield.org.            86400 IN NS ns2.giac.net.
dshield.org.            86400 IN NS ns1.homepc.org.
dshield.org.            86400 IN NS ns1.giac.net.
;; Received 148 bytes from in 90 ms

dshield.org.            3600 IN A
dshield.org.            3600 IN NS ns2.giac.net.
dshield.org.            3600 IN NS ns2.homepc.org.
dshield.org.            3600 IN NS ns1.giac.net.
dshield.org.            3600 IN NS ns1.homepc.org.
;; Received 132 bytes from in 130 ms

As you can see, it first queried the root server (a.root-servers.net),
which told you to ask TLD1.ULTRADNS.NET for .org queries, who in turn
told you to ask ns2.homepc.org for dshield.org queries, who in turn
returned the answer to "who is dshield.org".  So you have to accept DNS
packets from any source.


More information about the list mailing list