[Dshield] Re: Risk Assessment

Mar Matthias Darin BDarin at tanaya.net
Wed Oct 27 09:38:13 GMT 2004


Hello, 

I disregard what I explicitly do not use.  As I said in the original 
message, careful research ( in my case, 4 years), and READING. 

As far as large transfers of DNS entries, only my secondaries are allowed 
that.  I service I use for my secondary aided in the entire process of 
setting up and securing my DNS server along with a complete list of 
recomendations of what to allow or not.  To which I chose to follow. 

Brian Dessent writes: 

> So, you disregard protocol specs and it hasn't bitten you /yet/, that
> you've noticed.  Example: most of the time DNS uses only UDP.  But, for
> large queries and zone transfers it can use TCP.  Let's consider the
> poor readers of the list that, having followed your advice, said to
> themselves, "Gee, I don't see any TCP being used by DNS, so I'm not
> going to allow TCP through my firewall on 53."  And then a couple of
> years down the line they to setup an off-site secondary nameserver, the
> zone transfers inexplicably fail and no one knows why.  Much hair
> pulling ensues.  And name resolution fails very infrequently for some
> obscure sites because only the first 512 bytes of the response comes
> through.  That's not the kind of behavior I'd encourage in an
> administrator: "I'll just let through what seems to be needed, not what
> the specifications call for."

See a previous message posted here to another reader...  If I break 
something, my user are *very* voicesterious about it.  My descisions are far 
from haphazard or blind. 

> Again, you're just in denial that there could possibly be anything wrong
> because you chose to block something that is mostly never used and you
> personally haven't noticed any side effects.  Nevertheless, it's an
> important network functionality and blocking it does no good whatsoever
> other than make you feel all warm and tingly because "I block all
> ICMP."  I don't think the people that happen to have a small MTU that
> can't load your site because they depend on pMTUd are really going to
> agree with you there.

What I am advocating is the the individual LEARN about the service they use 
and explicitly set their firewall accordingly.  That learning process is 
neither quick or easy.  It means *extensively*: 

1. researching the software they what to use and quite possible contacting 
the auther for their advice on securing it and or modifications to it. 

2. researching any add-ons to the package to be sure that those requirements 
are met 

3. Knowing the market to be serviced and its specific requirements.  Not 
every business operates in a public market. 

Finally, I did not say they were the "best" practices.  Only the individual 
who wrote the original question can determine what is "best" for them.  I 
said the items I listed where what I used.  I believe that comment falls 
under the *reading* aspect. 

> You can do whatever you want with your equipment and your network, that
> was not my point.  My point was that when you go advocating your silly
> methods to the rest of the world as "best practices" then you should be
> prepared for someone to call you on it.  Good network stewardship calls
> for following the specifications, not breaking them because you feel
> like it out of some misguided sense of security.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20041027/c18349bb/attachment.bin


More information about the list mailing list