replies below
--
Jack Coates, Rainfinity SE
t: 650-962-5301 m: 650-280-4376
On Mon, 17 Jul 2000, Aaron Turner wrote:
>
> Actually Jack, in the wild you will see a significant portion of requests
> coming from port 53. I forget why off the top of my head, but it does
> happen. Also, remember that the >1024 is a Unix'ism and isn't true in the
> Windows world.
>
This seems broken to me, to my knowledge putting servers below 1024 and
clients above 1024 is a networking'ism and was covered in Cisco and MS
certification materials. Granted it's broken all the time on the server
side since there's only so many ports below 1024 and there's a security
risk in running a known-to-be-weak service on a well-known port, but I've
never seen a DNS resolver coming _from_ UDP 53. That would break inbound
resolution requests on my home firewall, which I use fairly
frequently. I'm sure you've seen it or you wouldn't have said so, but I'd
think it's got to be fairly rare. Whatever.
> Lastly, 53/tcp is not only used for zone transfers. It can be used for
> "normal lookups" too. I forget what the threshold the RFC states, but any
> communication beyond a certain number of bytes will be done over TCP
> regardless if it is a regular lookup or zone transfer. It just so happens
> that it is very rare that a lookup occurs over TCP, but is is possible.
>
512 bytes.
> So if you're concerned about security and not breaking things, your best
> bet is to use the security features in BIND or whatever software you're
> using to limit zone transfers to specific hosts rather than the firewall.
> Realize however that this will also make you more vulnerable to
> bufferoverflow attacks in BIND so it's imperative that you run BIND
> chrooted and keep it up todate.
>
>
100% agreed. Actually, 99% agreed -- I recommend using both. My named will
only transfer records with its slaves and masters, and I filter transfers
to their known IP addresses at my router. You could call it doing the same
job twice, or you could call it being minimalistic. There's no need for
any other machine to talk to TCP 53 on my name server, unless of course
they've included 500 bytes of HINFO in a record I asked for :-)
Jack
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
