[Dshield] Help: DNS (53)

Chris Brenton cbrenton at chrisbrenton.org
Wed Dec 31 19:27:54 GMT 2003

On Wed, 2003-12-31 at 11:37, David Hart wrote:
> We're using bind solely as a caching name server.

So you only need to support outbound queries.. got it.

> Correct me if I'm wrong but the only connects that I need to accept
> would be UDP to 53 from root servers. Right?

Correct. In fact, so long as you are keeping state, you only need to

> I noticed quite a few of these (they resolve to MSFT):
> Dec 31 11:30:31 mail2 kernel: Firewall: IN=eth1 OUT=
> MAC=00:09:5b:22:29:d1:00:06:25:e4:ed:a3:08:00 SRC=
> DST= LEN=73 TOS=0x00 PREC=0x00 TTL=52 ID=31495 PROTO=UDP
> SPT=51861 DPT=53 LEN=53

Sounds like you spend a lot of time on the MS site then. ;-)

Looks to me like a load balancer. Check your logs and see if you do a
query for a host within microsoft.com, msn.com, hotmail.com, etc. just
prior to this packet. I'm guessing you'll find an entry. The concept is
they connect to the name server making the query and measure round trip

> Am I doing something wrong (these packets were dropped)?

I drop them. Yes it breaks their load balancing and you could end up
connecting to a non-optimal server. You are far more secure however not
opening up access to UDP/53.

> While I am at it, we accept all connections from port 53 as the source.
> Is that appropriate?

Older versions of Bind and MS DNS use a fixed source port of 53. As of
Bind 8 or so, the source port is an upper port number. So I would focus
more on the target port rather than the source port. That or do full
payload verification. :)


More information about the list mailing list