[unisog] DNS over TCP should we block

Vijay S Sarvepalli VSSARVEP VSSARVEP at uncg.edu
Wed Jan 5 16:21:25 GMT 2005


Many of your opinions have been handy.  The best approach is what we 
already have been doing
1) Allow and LOG TCP DNS incoming queries ( I have practically seen none 
in our log files so far
as BU.EDU admin pointed out it is possible)
2) Allow and LOG TCP DNS outgoing queries ( so we can atleast see where 
they are going to)
3) Tighten Zone transfer by TSIG or IP based ruleset, LOG zone transfer 
request for intrusion purposes. 
4) Restrict DNS outgoing UDP queries by keeping a tight port control 
unpriv higher port( I dont see why this would
not help for reasons I had mentioned before - but I do nderstand risk is 
not elimintaed but reduced.)
5) Ofcourse chroot named and run named with restricted privileges (which 
is almost a standard procedure anymore)

The nanog paper was very useful in identifying problems to other servers 
caused by kiling TCP queries.  Netiquity 
is something we pursue as well so we dont cause others hazzle by our 
paranioa.


Thanks again for the lively discussion..

Vijay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/unisog/attachments/20050105/6da3eebb/attachment-0001.htm


More information about the unisog mailing list