On Wed, Feb 23, 2000 at 09:41:41PM +0100, Mikael Olsson wrote:
> Jon Earle wrote:
> > Folks,
> > If I implement packet filters on my firewall to allow DNS queries to enter,
> > should I be concerned about packets with both the source _and_ destination
> > ports set to 53?
> You should _NOT_ be enforcing port 53 as source port, as many firewalls
> will translate the source port 53 to something high.
> Apple recently tried allowing 53 and 1024-65535 but ended up blocking
> all firewall-1 users since fw-1 tries to translate low source ports
> into other low source ports, ie 53 ended up somewhere
> above 512 but below 1024.
> Conclusion:
> Allow ANY source port for your DNS queries.
This is a very BAD practice. There are intruders out there RIGHT
NOW who are using port 53 as the source port to perform UDP service scans
and to access things like tftp when and where they find them!
If you want to do it right, set up a forwarding caching DNS server
somewhere where you can control access to it and let it do all your DNS
work for you. Then you can restrict your DNS filters to one and only
one address. All your internal sites have to go through that server.
> --
> Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK
> Phone: +46 (0)660 105 50 Fax: +46 (0)660 122 50
> Mobile: +46 (0)70 248 00 33
> WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
Mike
--
Michael H. Warfield | (770) 985-6132 | [EMAIL PROTECTED]
(The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
