On Wed, Feb 23, 2000 at 11:22:01PM +0100, Mikael Olsson wrote:
> "Michael H. Warfield" wrote:
> > > Conclusion:
> > > Allow ANY source port for your DNS queries.
I interpreted this comment to mean any source port from your client
to an outside DNS server for "your" DNS queries, rather than someone else
querying your DNS server. My bad...
> > This is a very BAD practice. There are intruders out there RIGHT
> > NOW who are using port 53 as the source port to perform UDP service scans
> > and to access things like tftp when and where they find them!
> > If you want to do it right, set up a forwarding caching DNS server
> > somewhere where you can control access to it and let it do all your DNS
> > work for you. Then you can restrict your DNS filters to one and only
> > one address. All your internal sites have to go through that server.
> .... and this makes my claim wrong ... how?
> I'm not saying YOU are wrong: using a caching name server is good practice,
> but I REALLY fail to see what hole you create by allowing 0-65535 as source
> ports from the outside to your (hopefully in-between caching) DNS server,
> destination port 53, that you WOULDN't be creating in allowing only
> source ports 53 to access your DNS server, port 53.
Ok... I guess I was reading the message wrong... I was thinking
the other way of requests from arbitrary ports on the inside to DNS
ports on the outside. Maybe I need to read things more carefully. :-)
> Of course, you could make everything a lot more secure by not allowing
> anyone to communicate with your DNS at all, but that's sort of
> counter-productive IMHO. (Envisioning MJR with the scissors
> again; "Good firewall, lousy throughput.")
> Again:
> My recommendation was to allow:
> outside:23456 -> dnsmachine:53
> ****NOT****
> outside:53 -> dnsmachine:whateverportyoudamnwellfeellikeconnectingto
> Hm?
I had this confused. That does take care of DNS requests, but
for that I would (and do) place a DNS server outside of my firewall (or
behind it's own separate firewall in a DMZ) and update him under tightly
controlled conditions. If he gets compromised, I can rebuild him and my
network isn't compromised as a consequence. The only thing on that
exposed server is DNS and SSH (for access).
> --
> Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK
> Phone: +46 (0)660 105 50 Fax: +46 (0)660 122 50
> Mobile: +46 (0)70 248 00 33
> WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
Mike
--
Michael H. Warfield | (770) 985-6132 | [EMAIL PROTECTED]
(The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
