Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] DNS TCP

To: [email protected]
Subject: Re: [FW-1] DNS TCP
From: Don <[email protected]>
Date: Thu, 9 May 2002 14:10:22 -0400
In-reply-to: <00b901c1f77f$2d0fc500$640110ac@cc247073d>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

> It can also happen when a DNS request returns too much information to fit
> into one packet -- which is limited to 512k i think due to initial
> implementations of DNS code.  If the information can not fit into the first
> packet (which is still sent using DNS/UDP) then it will indicate that in the
> first packet and then the "remote" (other) will initiate a DNS/TCP
> connection to your server.
Actually it is 512 bytes not 512k. _BIG_ difference.

> Those are the only legitimate purposes and the second case is rare.  Even if
> it happens, make sure it is important to the business unit before you allow
> it and try and restrict this exchange as much as possible.
I do agree the second case is rare. Many companies run without allowing
TCP 53 into their name servers and they get by just fine.

> It is a bad thing to allow because your DNS servers contain a wealth of
> information about any given company.  In some cases, it may even include the
> hardware and OS of the systems (although this is rare as well).  If you
> allow someone to do zone transfers to or from your DNS servers you are
> either allowing your DNS servers to be poisoned or handing over all that
> information to someone who is most likely trying  to find a way in.
This I have a problem with. You do not need TCP 53 to request HINFO
records from a name server. Then again, anyone running with an accurate
HINFO record in their zone files should probably be shot anyway. Second,
DNS poisoning did not require TCP 53 access. It was easier to do through
UDP requests. Finally, most of the problems with DNS are on the UDP side
and not the TCP side. You would be better off closing UDP 53 and allowing
TCP 53.

As for zone transfers, that why you have the allow-transfer directive in
the first place.

DNS is, and always has been, a very insecure protocol. Given this, and the
fact that DNS queries involve a lot of firewall overhead for very small
amounts of data, you are probably better off just putting them in front of
your firewall and just watching them. If all you run on them is DNS
anyway, it will not matter if they are in front of or behind the firewall.
They can be compromised either way. If they are behind the firewall,
however, such a compromise gives an attacker a bridgehead into your
network which would definitely not be a good idea.

-Don

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Follow-Ups:
- Re: [FW-1] DNS TCP
  - From: Bill Osterman <[email protected]>

References:
- Re: [FW-1] DNS TCP
  - From: Bill Osterman <[email protected]>

Prev by Date: Re: [FW-1] NG FP2 Secure Remote
Next by Date: Re: [FW-1] DNS TCP
Previous by thread: Re: [FW-1] DNS TCP
Next by thread: Re: [FW-1] DNS TCP
Index(es):
- Date
- Thread