[Dshield] Re: Risk Assessment
Mar Matthias Darin
BDarin at tanaya.net
Wed Oct 27 09:38:13 GMT 2004
I disregard what I explicitly do not use. As I said in the original
message, careful research ( in my case, 4 years), and READING.
As far as large transfers of DNS entries, only my secondaries are allowed
that. I service I use for my secondary aided in the entire process of
setting up and securing my DNS server along with a complete list of
recomendations of what to allow or not. To which I chose to follow.
Brian Dessent writes:
> So, you disregard protocol specs and it hasn't bitten you /yet/, that
> you've noticed. Example: most of the time DNS uses only UDP. But, for
> large queries and zone transfers it can use TCP. Let's consider the
> poor readers of the list that, having followed your advice, said to
> themselves, "Gee, I don't see any TCP being used by DNS, so I'm not
> going to allow TCP through my firewall on 53." And then a couple of
> years down the line they to setup an off-site secondary nameserver, the
> zone transfers inexplicably fail and no one knows why. Much hair
> pulling ensues. And name resolution fails very infrequently for some
> obscure sites because only the first 512 bytes of the response comes
> through. That's not the kind of behavior I'd encourage in an
> administrator: "I'll just let through what seems to be needed, not what
> the specifications call for."
See a previous message posted here to another reader... If I break
something, my user are *very* voicesterious about it. My descisions are far
from haphazard or blind.
> Again, you're just in denial that there could possibly be anything wrong
> because you chose to block something that is mostly never used and you
> personally haven't noticed any side effects. Nevertheless, it's an
> important network functionality and blocking it does no good whatsoever
> other than make you feel all warm and tingly because "I block all
> ICMP." I don't think the people that happen to have a small MTU that
> can't load your site because they depend on pMTUd are really going to
> agree with you there.
What I am advocating is the the individual LEARN about the service they use
and explicitly set their firewall accordingly. That learning process is
neither quick or easy. It means *extensively*:
1. researching the software they what to use and quite possible contacting
the auther for their advice on securing it and or modifications to it.
2. researching any add-ons to the package to be sure that those requirements
3. Knowing the market to be serviced and its specific requirements. Not
every business operates in a public market.
Finally, I did not say they were the "best" practices. Only the individual
who wrote the original question can determine what is "best" for them. I
said the items I listed where what I used. I believe that comment falls
under the *reading* aspect.
> You can do whatever you want with your equipment and your network, that
> was not my point. My point was that when you go advocating your silly
> methods to the rest of the world as "best practices" then you should be
> prepared for someone to call you on it. Good network stewardship calls
> for following the specifications, not breaking them because you feel
> like it out of some misguided sense of security.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20041027/c18349bb/attachment.bin
More information about the list