Security Incidents mailing list archives
Re: Large DNS scans from 211.53.208.178
From: pain () ROYAL NET (Igor Gashinsky)
Date: Wed, 3 May 2000 19:28:01 -0400
If I am not mistaken, if the UDP-DNS packet exceeds 484 bytes, it will be
re-send via TCP. The reason it is 484, is the fact that we have a 512 byte
IP packet, 20 of them goes to the IP header, and 8 more for the TCP header,
leaving only 484 for the actual DNS payload. So, if anyone has a DNS Lookup
exceeding 484 bytes, it has to go over TCP [this lookup would include the
IPs and Names of all the Authoritative DNS servers for that domain, so it
could run up fairly quickly]. However, given all of that, I have not seen
much traffic that goes over that threshold, and a few places I have
consulted for do not allow 53/TCP through the firewall at all, and have no
problem with DNS resolution whatsoever. I think it will really effect huge
MX records, and things like that. Very few places actually require UDP
based look-ups, usually for multi-hosted servers, 3DNS and the like.
It may be worth a try to log traffic to your DNS server, and see if
everything is over UDP, and if it is, lock up 53/TCP. It would greatly
improve the security of that machine.
-Igor Gashinsky, GCIA
(pain () royal net)
"It is easy to run a secure computer system. You merely have to disconnect
all dial-up connections and permit only direct-wired terminals, put the
machine and its terminals in a shielded room, and post an armed guard at the
door."
At 12:26 PM 5/3/00 +1200, Richard Stevenson wrote:
On 1 May 2000, at 1:49, Seth Georgion wrote:This is very common, especially from Korea and should be seen as obvious attempts to find Zone Transferable hosts and should be secured against by disallowing Unauthorized Zone Transfers. Of course any one who has an even minimal computer education should be aware that all zone transfers are by nature TCP based and that all DNS Lookups are by nature UDP based. Thus it would follow that no one, not even the village idiot, would allow TCP 53 through the firewall.That's not quite correct. UDP-based DNS replies have a maximum size (about 500 bytes, IIRC), beyond which they include a flag stating that the reply was truncated. The client resolver may then query again using TCP, which allows larger replies, to get the complete data set they asked for. Regards Richard
Current thread:
- Re: more weird traceroutes, (continued)
- Re: more weird traceroutes Chad Thunberg (May 02)
- Re: Large DNS scans from 211.53.208.178 Fernando Cardoso (May 02)
- Re: Large DNS scans from 211.53.208.178 Russell Fulton (May 02)
- Re: Large DNS scans from 211.53.208.178 Ed Padin (May 02)
- Re: Large DNS scans from 211.53.208.178 Keith McCammon (May 03)
- Re: Large DNS scans from 211.53.208.178 David B. Bukowski (May 03)
- Re: Large DNS scans from 211.53.208.178 sigipp () WELLA COM BR (May 03)
- Re: Large DNS scans from 211.53.208.178 Seth Georgion (May 03)
- Re: Large DNS scans from 211.53.208.178 Greg A. Woods (May 08)
- Re: Large DNS scans from 211.53.208.178 Seth Georgion (May 03)
- Re: Large DNS scans from 211.53.208.178 Chen, Dave (May 03)
- Re: Large DNS scans from 211.53.208.178 Igor Gashinsky (May 03)
- Re: Large DNS scans from 211.53.208.178 Keith Owens (May 06)