[Dshield] DNS Question

Rick Leske rick at jaray.net
Thu Sep 25 17:58:52 GMT 2003


WoW.. on target.. nice to see someone with clean, perfect advice!

~Rick

> -----Original Message-----
> From: list-bounces at dshield.org [mailto:list-bounces at dshield.org]On
> Behalf Of Stephane Grobety
> Sent: Thursday, September 25, 2003 11:39 AM - FamHost
> To: General DShield Discussion List
> Subject: Re: [Dshield] DNS Question
> 
> 
> BS> Does anyone know why I'd be getting UDP Packets from my ISP's 
> DNS Servers
> BS> from port 53 to port 1031?
> 
> The most obvious answer is that this is the result of DNS queries made
> by your internal machines. As the target port shown is in the dynamic
> port range, it is pretty likely.
> 
> Make sure you don't have a rogue client that goes directly to your ISP
> DNS server instead of talking to your internal DNS. If you don't have
> an internal DNS server or is your internal dns server uses UDP to
> delegate it's queries, then you'll have to make a rule to accept all
> packet coming from port 53 to port 53 and to high ports, with the
> soirce of your ISP's DNS server to get to all the clients that will
> potentially need to resolve. The downside of this is that anyone
> spoofing your DNS server will then be able to send packets to any high
> ports of the target machines, making then prime target for a DNS spoof
> attack (most client DNS resolvers are pretty dumb).
> 
> Good luck,
> Stephane
> 

___________________________________________________________________
Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.




More information about the list mailing list