There is one major downside to blocking TCP port 53 - some Microsoft clients will not be able to do host lookups properly. I have seen this on NT 4.0 with OP4 installed. The SMTP service was polling the dns server using TCP, not UDP. Searching http://support.microsoft.com I found an obscure article (that I wish I had saved) which stated that according to the RFC, both TCP and UDP connections should be allowed on public DNS servers. Once I opened TCP, the SMTP was able to resolve properly and send messages. I have noticed in my DNS server log files that many of the NT boxes on our LAN do attempt to transfer zones, but I have not taken the time to investigate it. As transfers are *still* restricted on our DNS servers, we know that the NT box referenced above was not failing due to the inability to transfer a zone, but was using TCP instead of UDP to query the DNS server. Youn Gonzales System Administrator CLAS Net Inc. Comptia A+, Network+ Cisco CCNA Chicken is tasty.. ----- Original Message ----- From: "Eyes to the Skies." <sgtphou@fire-eyes.yi.org> To: <INCIDENTSat_private> Sent: Saturday, May 05, 2001 3:18 PM Subject: Re: DNS ports and scans > Jason Lewis wrote: > > > > DNS queries are on UDP port 53. TCP port 53 is used for zone transfers. By > > blocking TCP port 53 I can't do zone transfers, but clients can still do > > lookups on UDP 53. Since I have blocked TCP port 53, I have seen a decrease > > in attack attempts on my name servers, primarily because that port isn't > > open. I do still see scans for the DNS ports, but nothing more than a port > > scan. > > > > My question is...Can anyone come up with any pros/cons of doing this? > > > > My name servers are successfully serving my domains, so I don't see a > > downside. Thoughts? > > Well, I run a cacheing DNS server, only for myself. I was always > wondering how to stop it from listeing on my ppp (outside world) > interface, since no one on the outside needs to connect to me. I > firewalled as well. > > Today i figured out how to keep it listening only on the IPs/interfaces > you want. > > I have a dial up box here, which runs the dns server. I have another box > that is NAT'd as well. Anyway here's how i got it to listen only on > 127.0.0.1 and 192.168.0.1 : > > in /etc/named.conf (this is bind8): > > in the options section: > > listen-on { 127.0.0.1; 192.168.0.1; }; > > So now, it doesn't even bother to listen on the ouside world (ppp0). > > Other thoughts, if you do need it open to the outside world, would be to > have it use a different listen port. Anything other than 53. > -- > > http://c64.arcsnet.net/ > ICQ UIN 1551505 > "The things you own, they end up owning you." - Tylder Durden
This archive was generated by hypermail 2b30 : Mon May 14 2001 - 16:20:13 PDT