[unisog] DNS over TCP should we block

John Kristoff jtk at northwestern.edu
Tue Jan 4 23:02:19 GMT 2005

On Tue, 4 Jan 2005 17:05:07 -0500
Vijay S Sarvepalli VSSARVEP <VSSARVEP at uncg.edu> wrote:

> A) First problem:  I was thinking of blocking outgoing DNS over TCP from 
> my servers as you know less services allowed through the firewall
> less trouble to worry about.

Not always, especially if you break basic protocol functionally.  :-)

> If I open it up, it has to be for the whole world, as I cannot
> determine which are valid nameservers.. I also can set the DNS
> query-source port in UDP to be specific.  Fr e.g 
> query-source * 10000;
> Then one firewall rule for 
> MY IP (UDP 10000) => ANY (UDP 53) 

Sometimes when you try to secure one thing you may actually make
another thing less secure.  Your example above may be example of
that.  By ensuring that the only port ever used by the server is
10000, you've reduced the unique identifier space that is used to
thwart a spoofed response.  Perhaps that risk is acceptable, but
it is at least good to know that it exists.

> Will give a fairly tight rule.  As NAMED is listening on 10000 (or 
> whatever), nobody else can exploit that port.  Whereas TCP will use any 
> 1023+ port
> and anybody can run a netcat relay if my box carefully accessed. 

That doesn't sound right at all.  I don't think query-source applies
to TCP traffic, though as I recall there is a 'transfer-source'
option as well, but that applies only to zone transfers.  Same caveat
applies, you're reducing the unique identifiers that make up the
TCP connection in this case.

> 1) Our dns records have never needed a virtual circuit (this means most 
> replies to queries have been small enough) - if it is not needed why allow 
> it is my first thought

My advice would be to consider taking the time to study the second
half of the NANOG presentation I linked to earlier.

> 3)  DOS attack on TCP port 53.

Not a good enough reason in my opinion, because you can just replace
TCP with UDP in that sentence.  While there are potential TCP-specific
state-based attacks, a DoS attack can be aimed through the smallest
window in your firewall ruleset.  If it's a pipe filler, you don't
even need to be running any services, you just need to have a reachable
address.  What ports to you block to stop that?

There are a number of ways to monitor for and mitigate most of the
concern you have.  There are consequences to DNS over TCP filtering.
It is not something that should normally be done.  It is just basic
protocol functionality.  I recommend skimming through the RFCs and
perusing the issue online where it has come up before.  The Usenet
comp.protocols.dns.* group for instance may be a good place to start
your search and even ask for a second opinion.


More information about the unisog mailing list