iirc, the most recent bind exploit can exploit named through udp, so blocking tcp may be a false sense of security, or security through obscurity. The best solution is to upgrade and not have to worry about hiding vulnerable daemons behind a filter or firewall. -ryan ----- Original Message ----- From: "Jason Lewis" <jlewisat_private> To: <INCIDENTSat_private> Sent: Saturday, May 05, 2001 11:36 AM Subject: DNS ports and scans : DNS queries are on UDP port 53. TCP port 53 is used for zone transfers. By : blocking TCP port 53 I can't do zone transfers, but clients can still do : lookups on UDP 53. Since I have blocked TCP port 53, I have seen a decrease : in attack attempts on my name servers, primarily because that port isn't : open. I do still see scans for the DNS ports, but nothing more than a port : scan. : : My question is...Can anyone come up with any pros/cons of doing this? : : My name servers are successfully serving my domains, so I don't see a : downside. Thoughts? : : Jason Lewis : http://www.rivalpath.com : "All you can do is manage the risks. There is no security."
This archive was generated by hypermail 2b30 : Mon May 07 2001 - 07:50:11 PDT