NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] DNS TCP



here you go, ask mr. dns!
http://www.acmebw.com/askmrdns/



-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[email protected]]On Behalf Of Bill
Osterman
Sent: 09 May 2002 20:20
To: [email protected]
Subject: Re: [FW-1] DNS TCP


Don, I stand corrected on some of the details.  I did not necessarily mean
to imply that HINFO records are part of the zone transfer process and I
incorrectly stated the poisoning bit.  I was just trying to make people
realize some of the issues surrounding DNS.  I had never considered leaving
one totally outside the protection of a firewall, but I will think about it.

So while I run for cover   ;~}   let me redirect everyones interest and ask
a different question.  How much time does it take for most peoples emails to
reach the mailing list?  Mine takes at least an hour and sometimes as much
as three.  Is that normal for everyone else?

----- Original Message -----
From: "Don" <[email protected]>
To: <[email protected]>
Sent: Thursday, May 09, 2002 2:10 PM
Subject: Re: [FW-1] DNS TCP


> > It can also happen when a DNS request returns too much information to
fit
> > into one packet -- which is limited to 512k i think due to initial
> > implementations of DNS code.  If the information can not fit into the
first
> > packet (which is still sent using DNS/UDP) then it will indicate that in
the
> > first packet and then the "remote" (other) will initiate a DNS/TCP
> > connection to your server.
> Actually it is 512 bytes not 512k. _BIG_ difference.
>
> > Those are the only legitimate purposes and the second case is rare.
Even if
> > it happens, make sure it is important to the business unit before you
allow
> > it and try and restrict this exchange as much as possible.
> I do agree the second case is rare. Many companies run without allowing
> TCP 53 into their name servers and they get by just fine.
>
> > It is a bad thing to allow because your DNS servers contain a wealth of
> > information about any given company.  In some cases, it may even include
the
> > hardware and OS of the systems (although this is rare as well).  If you
> > allow someone to do zone transfers to or from your DNS servers you are
> > either allowing your DNS servers to be poisoned or handing over all that
> > information to someone who is most likely trying  to find a way in.
> This I have a problem with. You do not need TCP 53 to request HINFO
> records from a name server. Then again, anyone running with an accurate
> HINFO record in their zone files should probably be shot anyway. Second,
> DNS poisoning did not require TCP 53 access. It was easier to do through
> UDP requests. Finally, most of the problems with DNS are on the UDP side
> and not the TCP side. You would be better off closing UDP 53 and allowing
> TCP 53.
>
> As for zone transfers, that why you have the allow-transfer directive in
> the first place.
>
> DNS is, and always has been, a very insecure protocol. Given this, and the
> fact that DNS queries involve a lot of firewall overhead for very small
> amounts of data, you are probably better off just putting them in front of
> your firewall and just watching them. If all you run on them is DNS
> anyway, it will not matter if they are in front of or behind the firewall.
> They can be compromised either way. If they are behind the firewall,
> however, such a compromise gives an attacker a bridgehead into your
> network which would definitely not be a good idea.
>
> -Don
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.