Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Re: DNS ports and scans

Re: DNS ports and scans

From: Frijole <frijole_at_clas.net>
Date: Mon, 14 May 2001 12:16:41 -0500

There is one major downside to blocking TCP port 53 - some Microsoft clients
will not be able to do host lookups properly. I have seen this on NT 4.0
with OP4 installed. The SMTP service was polling the dns server using TCP,
not UDP. Searching http://support.microsoft.com I found an obscure article
(that I wish I had saved) which stated that according to the RFC, both TCP
and UDP connections should be allowed on public DNS servers. Once I opened
TCP, the SMTP was able to resolve properly and send messages.

I have noticed in my DNS server log files that many of the NT boxes on our
LAN do attempt to transfer zones, but I have not taken the time to
investigate it. As transfers are *still* restricted on our DNS servers, we
know that the NT box referenced above was not failing due to the inability
to transfer a zone, but was using TCP instead of UDP to query the DNS
server.

Youn Gonzales
System Administrator
CLAS Net Inc.
Comptia A+, Network+
Cisco CCNA
Chicken is tasty..

----- Original Message -----
From: "Eyes to the Skies." <sgtphou_at_fire-eyes.yi.org>
To: <INCIDENTS_at_SECURITYFOCUS.COM>
Sent: Saturday, May 05, 2001 3:18 PM
Subject: Re: DNS ports and scans

> Jason Lewis wrote:
> >
> > DNS queries are on UDP port 53. TCP port 53 is used for zone transfers.
By
> > blocking TCP port 53 I can't do zone transfers, but clients can still do
> > lookups on UDP 53. Since I have blocked TCP port 53, I have seen a
decrease
> > in attack attempts on my name servers, primarily because that port isn't
> > open. I do still see scans for the DNS ports, but nothing more than a
port
> > scan.
> >
> > My question is...Can anyone come up with any pros/cons of doing this?
> >
> > My name servers are successfully serving my domains, so I don't see a
> > downside. Thoughts?
>
> Well, I run a cacheing DNS server, only for myself. I was always
> wondering how to stop it from listeing on my ppp (outside world)
> interface, since no one on the outside needs to connect to me. I
> firewalled as well.
>
> Today i figured out how to keep it listening only on the IPs/interfaces
> you want.
>
> I have a dial up box here, which runs the dns server. I have another box
> that is NAT'd as well. Anyway here's how i got it to listen only on
> 127.0.0.1 and 192.168.0.1 :
>
> in /etc/named.conf (this is bind8):
>
> in the options section:
>
> listen-on { 127.0.0.1; 192.168.0.1; };
>
> So now, it doesn't even bother to listen on the ouside world (ppp0).
>
> Other thoughts, if you do need it open to the outside world, would be to
> have it use a different listen port. Anything other than 53.
> --
>
> http://c64.arcsnet.net/
> ICQ UIN 1551505
> "The things you own, they end up owning you." - Tylder Durden
Received on May 14 2001

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos