Home page logo
/

basics logo Security Basics mailing list archives

Re: Securing DNS Server
From: Bennett Todd <bet () rahul net>
Date: Tue, 5 Nov 2002 15:41:49 -0500

2002-11-05-14:36:41 Naman Latif:
Try adding this to named.conf:

options {
     query-source address * port 53;
};
++++++++++++++++++++++++++++++++++

Which would have the originating queries only from Port 53, thus making
it easier to implement in the firewall.

It may make it easier to firewall, but it's got other consequences.

It may, depending on the implementation in the server, limit the
server to one outstanding query at a time, which would only be
acceptable for exceptionally low-volume servers (home servers,
perhaps). Or it may cause all concurrent queries to share the same
src port, rather than being issued distinct src ports, which would
have the consequence that it would be much, much easier to forge a
reply packet and send it to the server to poison its cache.

Either way, the consequence may, perhaps, be worse than just
allowing incoming UDP to a wide range of ports on the DNS server.

It really comes down to a question of whether you can harden that
server adequately.

-Bennett

Attachment: _bin
Description:


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]