From: Dario Ciccarone (dciccaro) (dciccaro@cisco.com)
Date: Wed Nov 23 2005 - 12:56:39 EST
Jeff:
we had a similar discussion here with some other people. I hear that
one again and again - 'need TCP to be RFC compliant'. I've checked 1035,
and also "DNS & BIND" by Albitz and Liu - and all I can find is the
*suggestion* for resolvers to retry using TCP, not a *requirement*.
Would sincerely appreciate if you could provide us with an authoritative
reference to try and settle the matter :)
thanks,
Dario
________________________________
From: Jeff Gercken [mailto:JeffG@kizan.com]
Sent: Tuesday, November 22, 2005 9:17 AM
To: Dario Ciccarone (dciccaro); pen-test@securityfocus.com
Subject: RE: DNS ACL ?
Be aware that if you drop tcp dns traffic you won't be RFC
compliant. A method of spoof protection is to deny udp requests
indicating to the client they should use tcp. I know this is employed
by one of Cisco's anti DoS devices.
-jeff
________________________________
From: Dario Ciccarone (dciccaro) [mailto:dciccaro@cisco.com]
Sent: Thu 11/17/2005 3:06 AM
To: pen-test@securityfocus.com
Subject: FW: DNS ACL ?
Guess moderation doesn't work sometimes.
Hi! This is the ezmlm program. I'm managing the
pen-test@securityfocus.com mailing list.
I'm working for my owner, who can be reached
at pen-test-owner@securityfocus.com.
I'm sorry, the list moderators for the pen-test list
have failed to act on your post. Thus, I'm returning it to you.
If you feel that this is in error, please repost the message
or contact a list moderator directly.
--- Enclosed, please find the message you sent.
-----Original Message-----
From: Dario Ciccarone (dciccaro)
Sent: Saturday, November 12, 2005 12:26 AM
To: John Hally; pen-test@securityfocus.com
Subject: RE: DNS ACL ?
Yup.
RFC-1035 specifies that DNS queries should use UDP as transport
- and
queries are sent to the DNS server IP address, port 53. If the
server
finds that the answer section is > 512 bytes, it should reply
with at
most 512 bytes and set the TC bit in the answer. Is up to the
host
performing the query to retry it using TCP. Check section '4.2.
Transport' on the RFC.
RFC-2671 ('Extension Mechanisms for DNS (EDNS0)') updates
RFC-2671 and
allows for packet sizes > 512 when using UDP as transport.
A reference from MS: http://support.microsoft.com/kb/828263
Some queries that might exceed the 512-byte size are those like,
for
example, www.microsoft.com or www.yahoo.com, due to the number
of A
records returned.
So, you will probably be OK with only allowing 53/udp to your
DNS
server.
Thanks,
Dario
> -----Original Message-----
> From: John Hally [mailto:JHally@epnet.com]
> Sent: Friday, November 11, 2005 8:35 AM
> To: 'pen-test@securityfocus.com'
> Subject: DNS ACL ?
>
> Hello All,
>
>
>
> I need a sanity check regarding DNS ACLs. For external
> facing DNS servers
> you need to allow only udp/53 inbound, correct? I know
> tcp/53 is used for
> zone transfers and requests/replies greater than a certain
> size, but they
> shouldn't typically happen for general dns queries correct?
>
>
>
> Thanks in advance!
>
>
>
> --------------------------------------------------------------
> ----------------
> Audit your website security with Acunetix Web Vulnerability
Scanner:
>
> Hackers are concentrating their efforts on attacking
> applications on your
> website. Up to 75% of cyber attacks are launched on shopping
> carts, forms,
> login pages, dynamic content etc. Firewalls, SSL and
> locked-down servers are
> futile against web application hacking. Check your website
> for vulnerabilities
> to SQL injection, Cross site scripting and other web attacks
> before hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> --------------------------------------------------------------
> -----------------
>
------------------------------------------------------------------------
------
Audit your website security with Acunetix Web Vulnerability
Scanner:
Hackers are concentrating their efforts on attacking
applications on your
website. Up to 75% of cyber attacks are launched on shopping
carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down
servers are
futile against web application hacking. Check your website for
vulnerabilities
to SQL injection, Cross site scripting and other web attacks
before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
------------------------------------------------------------------------
-------
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:11 EDT