Re: DNS ACL ?

• Previous message: Richard C Lewis: "Re: DNS ACL ?"
• In reply to: John Hally: "DNS ACL ?"
• Next in thread: Dario Ciccarone (dciccaro): "FW: DNS ACL ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: John Hally <JHally@epnet.com>
Date: Sat, 12 Nov 2005 19:05:37 -0500

On Fri, 2005-11-11 at 08:35 -0500, John Hally wrote:
>
> I need a sanity check regarding DNS ACLs. For external facing DNS servers
> you need to allow only udp/53 inbound, correct? I know tcp/53 is used for
> zone transfers and requests/replies greater than a certain size, but they
> shouldn't typically happen for general dns queries correct?

Correct. Typically what gets people into trouble is when they create a
PTR record that associate a dozen+ host names with a specific IP
address. If you are not doing this, you are probably fine.

Quick test would be to use dig to run through all the queries you want
resolvable from the Internet. If you never get an answer with the
truncation bit set in the DNS header, you are in good shape.

As a side note, make sure all Internet exposed name servers are
_non-recursive_. Cache poisoning, domain parking and a host of other
nasty things can happen otherwise.

HTH,
Chris

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

• Previous message: Richard C Lewis: "Re: DNS ACL ?"
• In reply to: John Hally: "DNS ACL ?"
• Next in thread: Dario Ciccarone (dciccaro): "FW: DNS ACL ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: DNS question - How to... ... I have one question about Active Directory integrated DNS zone. ... internal dns servers that also is Active Directory servers. ... If you want to make your website available by http://ADDNSDomain create web ... (microsoft.public.windows.server.dns) Re: Help SMPT Errors ... FAIL Reverse DNS entries for MX records ERROR: The IP of one or more of your ... it may mean that your DNS servers did not respond fast enough). ... INFO NS records at parent servers Your NS records at the parent servers ... PASS Parent nameservers have your nameservers listed OK. ... (microsoft.public.exchange.admin) Re: TCPIP Services SMTP, RBLs blocking all inbound email ... pointing to 'anything' (we pointed it to the website address). ... Workaround stops having random subdomain.mydomain.com from pointing to ... One Alpha running email, a second doing website, DNS resolution ... Cimco servers, with domain DNS provided by dotster. ... (comp.os.vms) FW: DNS ACL ? ... Subject: DNS ACL? ... queries are sent to the DNS server IP address, ... > Audit your website security with Acunetix Web Vulnerability Scanner: ... Up to 75% of cyber attacks are launched on shopping ... (Pen-Test) Re: Windows 2000 logon process ... Paul Williams ... when clients are accessing the GPO stored in SYSVOL during logon. ... PW>> Sound's like - that's a combination of DNS and Dfs client pointing ... Global Catalogue servers? ... (microsoft.public.win2000.active_directory)