[Dshield] DNS Firewalling: Back to basics

Commerco WebMaster Webmaster at Commerco.Net
Thu Oct 28 07:17:12 GMT 2004


Dear DShield List Members,

I have recently been observing an increasing number of attempts to access 
DNS by port ranges below 1024 to port 53 in the logs (e.g., port 485 
inbound to port 53 on the local DNS servers).  I have always viewed such 
requests as problem requests.  In older (and I fear, simpler) times, as I 
recall, we could presume the following general matrix was true for both UDP 
and TCP DNS traffic:

External Request Patterns (when the DNS question is for us)
Expected Incoming Traffic port patterns:
53 -> 53 - OK
GT 1023 -> 53 - OK
Expected Outgoing Traffic port patterns:
53 -> 53 OK
53 -> GT 1023 OK

Internal Request Patterns (when we ask the DNS question)
Expected Incoming Traffic port patterns:
53 -> 53 - OK
53 -> GT 1023 - OK
Expected Outgoing Traffic port patterns:
53 -> 53 OK
GT 1023 -> 53 OK

Everything else is suspect.

Presuming I put together the matrix above properly, do these general rules 
of thumb for DNS server firewalling still apply or did I miss a memo? :-)

Best,

Alan Maitland
The Commerce Company - Making Commerce Simple(sm)
http://WWW.Commerco.Com/





More information about the list mailing list