Martin Harriss (martinat_private) wrote: > Unfortunately, 1434 is a perfectly valid "ephemeral" port. > Would you like, for instance, random DNS failures? This is getting off the topic of logging, but the issue of a UDP packet w/source port of 53 being sent to port 1434 should be addressable by good firewall technology and good architecture. For simple starters, many firewalls impose pseudo-state on UDP through use of timers and basic understanding of request-response directions. Other firewalls can do more app-level inspection to ensure that the packets in question are legit DNS query/response. And DNS as an application naturally lends itself to proxy-like architecture through forwarder/proxy functionality. Architecturally, I would contend that the ideal design of a network that connects to the Internet will not have random individual hosts making DNS requests to a public server on the opposide side of a firewall. DNS requests should go through one's own forwarder/proxy/local DNS server/whatever so that only one or a limited number of entities are sending queries thru a firewall to the public Internet. Those hosts allowed to make such queries should be limited in function to just that function, if possible. We know historically that the code for many common DNS servers has had their share of security bugs, so said hosts should themselves be firewalled off, down to just the connections + directions required. Again, might not be possible, but in any case said host should not be running services like SQL Server which have high bug potential and tend to be used for end-user data handling, and don't typically need connectivity to the public world. It just doesn't make sense to put an app like that on the same system as a DNS server/proxy/whatever. Binky __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Tue Jan 28 2003 - 06:44:03 PST