Re: DNS ACL ?

From: Stephen J. Smoogen (smooge_at_gmail.com)
Date: 11/12/05

  • Next message: Sam Johnson: "RE: Core Impact references"
    Date: Sat, 12 Nov 2005 11:23:23 -0700
    To: John Hally <JHally@epnet.com>
    
    

    On 11/11/05, John Hally <JHally@epnet.com> wrote:
    > Hello All,
    >
    > I need a sanity check regarding DNS ACLs. For external facing DNS servers
    > you need to allow only udp/53 inbound, correct? I know tcp/53 is used for
    > zone transfers and requests/replies greater than a certain size, but they
    > shouldn't typically happen for general dns queries correct?
    >

    I think that the backbone DNS servers and certain upstream DNS servers
    require TCP, and if for some reason a query can not fit into a single
    UDP packet it will switch to TCP.

    So if you do not have insane hostnames or extra info (long TXT
    sections etc), then TCP would not be needed to the world.. locking it
    down so that it only talks to known upstream boxes would probably be
    correct.

    --
    Stephen J Smoogen.
    CSIRT/Linux System Administrator
    ------------------------------------------------------------------------------
    Audit your website security with Acunetix Web Vulnerability Scanner: 
    Hackers are concentrating their efforts on attacking applications on your 
    website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
    login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
    futile against web application hacking. Check your website for vulnerabilities 
    to SQL injection, Cross site scripting and other web attacks before hackers do! 
    Download Trial at:
    http://www.securityfocus.com/sponsor/pen-test_050831
    -------------------------------------------------------------------------------
    

  • Next message: Sam Johnson: "RE: Core Impact references"

    Relevant Pages

    • RE: DNS ACL ?
      ... forget to allow the DNS servers outbound reply. ... Subject: DNS ACL? ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Up to 75% of cyber attacks are launched on shopping carts, forms, ...
      (Pen-Test)
    • Re: adding sublevel to DNS
      ... manual entry in their dns to point to this external site. ... point to the DNS servers on the public record. ... workaround, using Internet Services Manager, create a website on all DCs ... on the website and select the Home Directory tab, ...
      (microsoft.public.windows.server.dns)
    • Re: DNS Internet
      ... Also, one more thing, if the website is hosted externally, the ISP may ... rt-click company.com, choose delegation, type in www, and provide the ... provide the external publicly held DNS servers' addresses.' ... company's users ability to access, via the internet, www.company.com ...
      (microsoft.public.win2000.dns)
    • Re: Remote Web Workplace & Website Hosted by External Company
      ... but currently has their company .com website address hosted ... like to have the SBS host the domain, ... would need two separate DNS servers (in addition to your SBS box, ... I also suggest that you *not* name the internal domain to match the public ...
      (microsoft.public.windows.server.sbs)
    • Re: Problems with website access with a domain ending with .com
      ... one point they were hosting their own website. ... a way to route the dns to connect to the dynamic website or there is ... poining to GoDaddy's DNS servers. ... There are also cases where the www.mydomain.com record at GoDaddy is a CNAME ...
      (microsoft.public.windows.server.dns)