"Michael H. Warfield" wrote:
>
> > Conclusion:
>
> > Allow ANY source port for your DNS queries.
>
> This is a very BAD practice. There are intruders out there RIGHT
> NOW who are using port 53 as the source port to perform UDP service scans
> and to access things like tftp when and where they find them!
>
> If you want to do it right, set up a forwarding caching DNS server
> somewhere where you can control access to it and let it do all your DNS
> work for you. Then you can restrict your DNS filters to one and only
> one address. All your internal sites have to go through that server.
.... and this makes my claim wrong ... how?
I'm not saying YOU are wrong: using a caching name server is good practice,
but I REALLY fail to see what hole you create by allowing 0-65535 as source
ports from the outside to your (hopefully in-between caching) DNS server,
destination port 53, that you WOULDN't be creating in allowing only
source ports 53 to access your DNS server, port 53.
Of course, you could make everything a lot more secure by not allowing
anyone to communicate with your DNS at all, but that's sort of
counter-productive IMHO. (Envisioning MJR with the scissors
again; "Good firewall, lousy throughput.")
Again:
My recommendation was to allow:
outside:23456 -> dnsmachine:53
****NOT****
outside:53 -> dnsmachine:whateverportyoudamnwellfeellikeconnectingto
Hm?
--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK
Phone: +46 (0)660 105 50 Fax: +46 (0)660 122 50
Mobile: +46 (0)70 248 00 33
WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
