The KB article is http://support.microsoft.com/support/kb/articles/q263/2/37.asp. John Coke Information Security Specialist, Senior Hostmaster - RHCE, CCNA i (B (E (A (M Broadcasting ph: 405.717.4895 cell: 405.209.8519 PGP fingerprint: A8D1 4CBD 88CF 1B37 8008 2F79 3081 2108 8F45 E846 PGP key ID 0x8F45E846 (pgp.mit.edu) > -----Original Message----- > From: Frijole [mailto:frijoleat_private] > Sent: Monday, May 14, 2001 12:17 PM > To: Eyes to the Skies.; INCIDENTSat_private > Subject: Re: DNS ports and scans > > > There is one major downside to blocking TCP port 53 - some > Microsoft clients > will not be able to do host lookups properly. I have seen > this on NT 4.0 > with OP4 installed. The SMTP service was polling the dns > server using TCP, > not UDP. Searching http://support.microsoft.com I found an > obscure article > (that I wish I had saved) which stated that according to the > RFC, both TCP > and UDP connections should be allowed on public DNS servers. > Once I opened > TCP, the SMTP was able to resolve properly and send messages. > > I have noticed in my DNS server log files that many of the NT > boxes on our > LAN do attempt to transfer zones, but I have not taken the time to > investigate it. As transfers are *still* restricted on our > DNS servers, we > know that the NT box referenced above was not failing due to > the inability > to transfer a zone, but was using TCP instead of UDP to query the DNS > server. > > > Youn Gonzales > System Administrator > CLAS Net Inc. > Comptia A+, Network+ > Cisco CCNA > Chicken is tasty.. > > > ----- Original Message ----- > From: "Eyes to the Skies." <sgtphou@fire-eyes.yi.org> > To: <INCIDENTSat_private> > Sent: Saturday, May 05, 2001 3:18 PM > Subject: Re: DNS ports and scans > > > > Jason Lewis wrote: > > > > > > DNS queries are on UDP port 53. TCP port 53 is used for > zone transfers. > By > > > blocking TCP port 53 I can't do zone transfers, but > clients can still do > > > lookups on UDP 53. Since I have blocked TCP port 53, I > have seen a > decrease > > > in attack attempts on my name servers, primarily because > that port isn't > > > open. I do still see scans for the DNS ports, but > nothing more than a > port > > > scan. > > > > > > My question is...Can anyone come up with any pros/cons of > doing this? > > > > > > My name servers are successfully serving my domains, so I > don't see a > > > downside. Thoughts? > > > > Well, I run a cacheing DNS server, only for myself. I was always > > wondering how to stop it from listeing on my ppp (outside world) > > interface, since no one on the outside needs to connect to me. I > > firewalled as well. > > > > Today i figured out how to keep it listening only on the > IPs/interfaces > > you want. > > > > I have a dial up box here, which runs the dns server. I > have another box > > that is NAT'd as well. Anyway here's how i got it to listen only on > > 127.0.0.1 and 192.168.0.1 : > > > > in /etc/named.conf (this is bind8): > > > > in the options section: > > > > listen-on { 127.0.0.1; 192.168.0.1; }; > > > > So now, it doesn't even bother to listen on the ouside world (ppp0). > > > > Other thoughts, if you do need it open to the outside > world, would be to > > have it use a different listen port. Anything other than 53. > > -- > > > > http://c64.arcsnet.net/ > > ICQ UIN 1551505 > > "The things you own, they end up owning you." - Tylder Durden >
This archive was generated by hypermail 2b30 : Tue May 15 2001 - 10:30:14 PDT