[Dshield] Help: DNS (53)

Jeff Kell jeff-kell at utc.edu
Thu Jan 1 18:58:19 GMT 2004


Just to stir the fire a bit...

If the DNS response doesn't fit into one packet, it will back off and 
make a TCP request.  You have to take TCP into account as well when you 
are dealing with DNS.

Scanners and recons may request a zone transfer via UDP, which is 
essentially a no-no.  But very few if any firewalls/router ACLs have a 
clue if it's a zone transfer request or not.  For bind, you can specify 
the hosts that can request a zone transfer from you (should be a list of 
your authorized secondaries and cache servers).

In general, DNS requests come from ports >1023, and DNS replies should 
go to ports >1023.  Otherwise there may be issues (Snort checks for this 
anomaly).

For some reason, recent Linux (RedHat) builds of bind pick their 
outgoing request port in the 32770ish range.  If you blindly follow the 
SANS guidelines which say "block 32770-32789 as these are RPC loopback 
ports" you will hose DNS.  So always permit DNS (53) through this range 
before you block everything else.

Jeff




More information about the list mailing list