[Dshield] Help: DNS (53)

Chris Brenton cbrenton at chrisbrenton.org
Thu Jan 1 16:13:16 GMT 2004


On Thu, 2004-01-01 at 08:43, Tod D. Ihde wrote:
>
>  >>> Correct me if I'm wrong but the only connects that I need to accept
>  >>> would be UDP to 53 from root servers. Right?
>  >
>  >
>  >Correct. In fact, so long as you are keeping state, you only need to
>  >accept ESTABLISHED 53/UDP.
> 
> False. You need to accept UDP to 53 from any in-bailiwick ( 
> "authoritative") server.

DOOH! That's what I get for replying when I'm in a hurry. I saw "root"
and read it as "authoritative". You are absolutely right.

Still, so long as he's permitting outbound 53/UDP and letting back in
only replies, he'll be cool.

> Also, there is no such thing as an "ESTABLISHED" UDP session/packet/etc. 

He's using iptables (that was the log format he submitted). The
"ESTABLISHED" case sensitive keyword (which is why I had it all in caps,
I was not yelling ;) is used to let in replies regardless of whether its
TCP, UDP, ICMP, etc.

>  >>> Dec 31 11:30:31 mail2 kernel: Firewall: IN=eth1 OUT=
>  >>> MAC=00:09:5b:22:29:d1:00:06:25:e4:ed:a3:08:00 SRC=207.46.150.15
>  >>> DST=192.168.0.31 LEN=73 TOS=0x00 PREC=0x00 TTL=52 ID=31495 PROTO=UDP
>  >>> SPT=51861 DPT=53 LEN=53
>  >
>  >
>  >Sounds like you spend a lot of time on the MS site then. ;-)
>  >
>  >Looks to me like a load balancer. Check your logs and see if you do a
>  >query for a host within microsoft.com, msn.com, hotmail.com, etc. just
>  >prior to this packet. I'm guessing you'll find an entry. The concept is
>  >they connect to the name server making the query and measure round trip
>  >time.
> 
> Load balancing? Looks like a normal DNS packet to me, until I see an 
> actual dump of the payload.

The clue is he specified this is a _caching server_ only. Caching only
implies no public NS record entry, which means people will not be making
legitimate queries to this system from the Internet. So the choices are
"port scanning" or "load balancer". Since its just this one host and one
target port, port scanning is unlikely. That and 207.46.150.15 is known
to be one of MS's load balancers. 

Check the dshield database. I'm guessing there are probably a few people
that have not yet figured out this IP is a load balancer and reported it
as potentially hostile. You'll probably find lots of port UDP/53 target
traffic.

>  >I drop them. Yes it breaks their load balancing and you could end up
>  >connecting to a non-optimal server. You are far more secure however not
>  >opening up access to UDP/53.
> 
> Again, doesn't look like load balancing. I suggest you read up a little 
> on how DNS works (at the datagram level).

LOL! I've been working with Bind for about 10 years. I think I have a
handle on it. ;-)

>  The only thing you're doing is 
> causing your DNS server to work harder, use more bandwidth, and place 
> more of a load on external DNS servers if you're dropping DNS packets. 

Huh? Please explain how dropping load balancer traffic to a cache server
is going to bring down the Internet and cause dogs and cats to start
sleeping together. It might delay the reply, and even cause him to be
sent to a non-optimal server (as mentioned above), but that's about it.

>  >Older versions of Bind and MS DNS use a fixed source port of 53. As of
>  >Bind 8 or so, the source port is an upper port number. So I would focus
>  >more on the target port rather than the source port. That or do full
>  >payload verification. :)
> 
> Source port doesn't matter for filtering (for DNS)

Actually, they can be helpful. There are fingerprint and version
enumeration tools that use a fixed source port of 80. Limit the source
port to 53 and >1023 and you break these tools. So limiting source ports
can be helpful, but IMHO in this case they are not really worth it as
we're talking a small number of tools.

HTH,
C





More information about the list mailing list