[Dshield] Help: DNS (53)
jeff-kell at utc.edu
Thu Jan 1 18:58:19 GMT 2004
Just to stir the fire a bit...
If the DNS response doesn't fit into one packet, it will back off and
make a TCP request. You have to take TCP into account as well when you
are dealing with DNS.
Scanners and recons may request a zone transfer via UDP, which is
essentially a no-no. But very few if any firewalls/router ACLs have a
clue if it's a zone transfer request or not. For bind, you can specify
the hosts that can request a zone transfer from you (should be a list of
your authorized secondaries and cache servers).
In general, DNS requests come from ports >1023, and DNS replies should
go to ports >1023. Otherwise there may be issues (Snort checks for this
For some reason, recent Linux (RedHat) builds of bind pick their
outgoing request port in the 32770ish range. If you blindly follow the
SANS guidelines which say "block 32770-32789 as these are RPC loopback
ports" you will hose DNS. So always permit DNS (53) through this range
before you block everything else.
More information about the list