Re: DNS ports and scans

From: Frijole (frijoleat_private)
Date: Mon May 14 2001 - 10:16:41 PDT

Next message: McCammon, Keith: "RE: who's owning this ip?"

Previous message: fuska: "Re: What "methods" are being used"
In reply to: Eyes to the Skies.: "Re: DNS ports and scans"
Next in thread: Crist Clark: "Re: DNS ports and scans"
Next in thread: Thorat_private: "INCIDENTSat_private"
Reply: Crist Clark: "Re: DNS ports and scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

There is one major downside to blocking TCP port 53 - some Microsoft clients
will not be able to do host lookups properly. I have seen this on NT 4.0
with OP4 installed. The SMTP service was polling the dns server using TCP,
not UDP. Searching http://support.microsoft.com I found an obscure article
(that I wish I had saved) which stated that according to the RFC, both TCP
and UDP connections should be allowed on public DNS servers. Once I opened
TCP, the SMTP was able to resolve properly and send messages.

I have noticed in my DNS server log files that many of the NT boxes on our
LAN do attempt to transfer zones, but I have not taken the time to
investigate it. As transfers are *still* restricted on our DNS servers, we
know that the NT box referenced above was not failing due to the inability
to transfer a zone, but was using TCP instead of UDP to query the DNS
server.

Youn Gonzales
System Administrator
CLAS Net Inc.
Comptia A+, Network+
Cisco CCNA
Chicken is tasty..

----- Original Message -----
From: "Eyes to the Skies." <sgtphou@fire-eyes.yi.org>
To: <INCIDENTSat_private>
Sent: Saturday, May 05, 2001 3:18 PM
Subject: Re: DNS ports and scans

> Jason Lewis wrote:
> >
> > DNS queries are on UDP port 53.  TCP port 53 is used for zone transfers.
By
> > blocking TCP port 53 I can't do zone transfers, but clients can still do
> > lookups on UDP 53.  Since I have blocked TCP port 53, I have seen a
decrease
> > in attack attempts on my name servers, primarily because that port isn't
> > open.  I do still see scans for the DNS ports, but nothing more than a
port
> > scan.
> >
> > My question is...Can anyone come up with any pros/cons of doing this?
> >
> > My name servers are successfully serving my domains, so I don't see a
> > downside.  Thoughts?
>
> Well, I run a cacheing DNS server, only for myself. I was always
> wondering how to stop it from listeing on my ppp (outside world)
> interface, since no one on the outside needs to connect to me. I
> firewalled as well.
>
> Today i figured out how to keep it listening only on the IPs/interfaces
> you want.
>
> I have a dial up box here, which runs the dns server. I have another box
> that is NAT'd as well. Anyway here's how i got it to listen only on
> 127.0.0.1 and 192.168.0.1 :
>
> in /etc/named.conf (this is bind8):
>
> in the options section:
>
> listen-on { 127.0.0.1; 192.168.0.1; };
>
> So now, it doesn't even bother to listen on the ouside world (ppp0).
>
> Other thoughts, if you do need it open to the outside world, would be to
> have it use a different listen port. Anything other than 53.
> --
>
>  http://c64.arcsnet.net/
>  ICQ UIN 1551505
>  "The things you own, they end up owning you." - Tylder Durden

Next message: McCammon, Keith: "RE: who's owning this ip?"
Previous message: fuska: "Re: What "methods" are being used"
In reply to: Eyes to the Skies.: "Re: DNS ports and scans"
Next in thread: Crist Clark: "Re: DNS ports and scans"
Next in thread: Thorat_private: "INCIDENTSat_private"
Reply: Crist Clark: "Re: DNS ports and scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon May 14 2001 - 16:20:13 PDT