[unisog] DNS over TCP should we block

PaulFM paulfm at me.umn.edu
Wed Jan 5 16:37:00 GMT 2005

The serious issue with TCP port 53 has little to do with DNS.

Nefarious persons are using that port as the port of choice for the 
telnet/ssh service they install on compromised machines - simply because it 
tends to be allowed through even when other ports are blocked.

You should block TCP port 53 incoming to all BUT your DNS servers (if you 
tend to block ports - if you don't block ports crackers can just use another 
port anyway).

For a locked down network, you should block initial incoming TCP connections 
except to the machines that provide services on particular ports  (at least 
ports 0-1023 - note: FTP servers connect back to clients from port 20 TCP to 
a high port [1024+] on the client, stateful firewalls can handle this) - if 
you allow initial connections - LOG THEM so you can watch for nefarious 
activity.  You might want to also block port 0-1023 UDP coming in.

Leigh Heyman wrote:

> Valdis.Kletnieks at vt.edu wrote:
>> On Wed, 05 Jan 2005 01:43:31 +0100, Florian Weimer said:
>>>  Therefore, it's been proposed to answer requests of unknown
>>> origin with a truncated response, to force the resolver to requery
>>> over TCP.  Now apply SYN cookies. 
>> One other issue there is that if you're running a *VERY* high-volume
>> mail server (something more than 500K-1M outbound connections/day),
>> the additional latency introduced by trying UDP, then having to redo
>> via TCP (remember - a min of 8 more packets on top of the 2 UDP packets)
>> can start to impact your throughput. 
> By "requests of unknown origin" did Florian mean requests from outside 
> clients to internal resolvers?  In that case, queries from your own 
> mailservers and webservers wouldn't qualify as "unknown" and therefore 
> should still happily use UDP yes?
> -L
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

The views and opinions expressed above are strictly
those of the author(s).  The content of this message has
not been reviewed nor approved by any entity whatsoever.
Paul F. Markfort   Info/Web: http://www.menet.umn.edu/~paulfm

More information about the unisog mailing list