[Dshield] DNS Firewalling: Back to basics

Brent Gardner bgardner at iprocorp.com
Thu Oct 28 15:50:54 GMT 2004


Say a remote host connects to the Internet through a NATted firewall.  If
that host queries your DNS server isn't it possible that the 'from' ports
may not be what is expected?

Brent Gardner
Network Administrator
IPRO Tech, Inc.
602-324-4776
www.iprocorp.com 


> -----Original Message-----
> From: list-bounces at lists.dshield.org 
> [mailto:list-bounces at lists.dshield.org] On Behalf Of Commerco 
> WebMaster
> Sent: Thursday, October 28, 2004 12:17 AM
> To: General DShield Discussion List
> Subject: [Dshield] DNS Firewalling: Back to basics
> 
> 
> Dear DShield List Members,
> 
> I have recently been observing an increasing number of 
> attempts to access 
> DNS by port ranges below 1024 to port 53 in the logs (e.g., port 485 
> inbound to port 53 on the local DNS servers).  I have always 
> viewed such 
> requests as problem requests.  In older (and I fear, simpler) 
> times, as I 
> recall, we could presume the following general matrix was 
> true for both UDP 
> and TCP DNS traffic:
> 
> External Request Patterns (when the DNS question is for us) 
> Expected Incoming Traffic port patterns: 53 -> 53 - OK GT 
> 1023 -> 53 - OK Expected Outgoing Traffic port patterns: 53 
> -> 53 OK 53 -> GT 1023 OK
> 
> Internal Request Patterns (when we ask the DNS question) 
> Expected Incoming Traffic port patterns: 53 -> 53 - OK 53 -> 
> GT 1023 - OK Expected Outgoing Traffic port patterns: 53 -> 
> 53 OK GT 1023 -> 53 OK
> 
> Everything else is suspect.
> 
> Presuming I put together the matrix above properly, do these 
> general rules 
> of thumb for DNS server firewalling still apply or did I miss 
> a memo? :-)
> 
> Best,
> 
> Alan Maitland
> The Commerce Company - Making Commerce Simple(sm) 
> http://WWW.Commerco.Com/
> 
> 
> _______________________________________________
> DShield and the Internet Storm Center are sponsored by the 
> SANS Institute. To learn more about current SANS training, 
> see http://www.sans.org .
> 
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: 
> http://www.dshield.org/mailman/listinfo/list
> 




More information about the list mailing list