On Sat, 5 May 2001 12:36:05 -0400, Jason Lewis <jlewisat_private> wrote: >DNS queries are on UDP port 53. TCP port 53 is used for zone transfers. By >blocking TCP port 53 I can't do zone transfers, but clients can still do >lookups on UDP 53. Since I have blocked TCP port 53, I have seen a decrease >in attack attempts on my name servers, primarily because that port isn't >open. I do still see scans for the DNS ports, but nothing more than a port >scan. > >My name servers are successfully serving my domains, so I don't see a >downside. Thoughts? If you query a site with a DNS entry that is too big for UDP (approx 512 bytes) then your name server will switch over to TCP. You have just blocked your access to sites with large DNS entries. It is much better to selectively block DNS over TCP, by accepting incoming TCP:53 if the ACK bit is set and refusing incoming TCP:53 without the ACK bit. Since the only incoming TCP packet without ACK is the initial SYN packet from outside, that prevents somebody attacking you over TCP:53 but lets you start a TCP:53 session. Also allow TCP:53 for your external name servers, with or without ACK.
This archive was generated by hypermail 2b30 : Mon May 07 2001 - 07:35:31 PDT