[unisog] DNS over TCP should we block

Vijay S Sarvepalli VSSARVEP VSSARVEP at uncg.edu
Tue Jan 4 22:05:07 GMT 2005


Thanks for all the opinions. 
A) First problem:  I was thinking of blocking outgoing DNS over TCP from 
my servers as you know less services allowed through the firewall
less trouble to worry about.  If I open it up, it has to be for the whole 
world, as I cannot determine which are valid nameservers.. I also can set
the DNS query-source port in UDP to be specific.  Fr e.g 
query-source * 10000;

Then one firewall rule for 
MY IP (UDP 10000) => ANY (UDP 53) 

Will give a fairly tight rule.  As NAMED is listening on 10000 (or 
whatever), nobody else can exploit that port.  Whereas TCP will use any 
1023+ port
and anybody can run a netcat relay if my box carefully accessed. 

A Longer picture of dropping DNS over TCP (even inbound):

Here is the reason for looking at DNS over TCP incoming as a possible 

1) Our dns records have never needed a virtual circuit (this means most 
replies to queries have been small enough) - if it is not needed why allow 
it is my first thought
2) Zone transfer is already denied by default with "allow-transfer { none; 
};" and specific allow statements for each zone.  Zone transfer is NOT the 
threat being addressed.  There is also TSIG option for this. 
3)  DOS attack on TCP port 53.

I do value your opinions guys/gals.. so speak on.


Pascal Meunier <pmeunier at cerias.purdue.edu> 
Sent by: unisog-bounces at lists.sans.org
01/04/2005 03:58 PM
Please respond to
UNIversity Security Operations Group <unisog at lists.sans.org>

UNIversity Security Operations Group <unisog at lists.sans.org>

Re: [unisog] DNS over TCP should we block

The threats that the original poster may want to avoid should be 
without this discussion, it's not possible to say whether blocking DNS 
TCP (from where to where?) is the best way to mitigate them.  If zone
transfers are the threat in question:

-"It is better to use named.conf to control zone transfers... (than)
firewalling tcp" ( 



-" The risk that zone transfers pose may be reduced by incorporating a
split-DNS architecture. Split-DNS uses a DNS domain server for publicly
reachable services within the DMZ, and a DNS domain server for the private
internal network [7,8]"


So there are other ways to address this than blocking DNS over TCP.

Pascal Meunier
Purdue University CERIAS

On 1/4/05 3:15 PM, "Reg Quinton" <reggers at ist.uwaterloo.ca> wrote:

>> DNS over TCP should be permitted, in both directions.  Some things
>> will break if you do not allow it.
> I'll disagree.
> Assuming your clients are configured to use campus name servers there's 
> need to open DNS over TCP (and UDP) to everyone -- constrain it to just 
> campus DNS name servers.
> If you allow DNS over TCP and UDP to everyone then you can expect bad 
> to exploit that. 
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

unisog mailing list
unisog at lists.sans.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/unisog/attachments/20050104/9eb7e684/attachment.htm

More information about the unisog mailing list