RE: DNS ACL ?

From: Kyle Quest (Kyle.Quest_at_networkengines.com)
Date: 11/22/05

  • Next message: Richard Zaluski: "RE: Solaris/UNIX Network Performance & Security" 
    Date: Tue, 22 Nov 2005 11:08:42 -0500
To: <pen-test@securityfocus.com>

    -----Original Message-----
    From: Dario Ciccarone (dciccaro) [mailto:dciccaro@cisco.com]
    Sent: Thursday, November 17, 2005 3:07 AM
    To: pen-test@securityfocus.com
    Subject: FW: DNS ACL ?

    >RFC-2671 ('Extension Mechanisms for DNS (EDNS0)') updates RFC-2671 and
    >allows for packet sizes > 512 when using UDP as transport.
    >
    >A reference from MS: http://support.microsoft.com/kb/828263
    >
    >Some queries that might exceed the 512-byte size are those like, for
    >example, www.microsoft.com or www.yahoo.com, due to the number of A
    >records returned.
    >
    >So, you will probably be OK with only allowing 53/udp to your DNS
    >server.

    That's not always true. Yes, DNS extensions have a mechanism to
    increase the UDP message size. However, both sides (clients and servers)
    are involved in the process of negotiating those big messages.
    Not all DNS clients automatically try to negotiate bigger UDP
    messages. The same goes for DNS servers. And there's always security
    devices somewhere on the network that may not allow those extensions...
    either by stripping or disallowing the udp message size option or
    simply by ignoring (/not understanding) them. My recommendation is
    to not rely on any extended DNS functionality.

    Kyle

     

    ------------------------------------------------------------------------------
    Audit your website security with Acunetix Web Vulnerability Scanner:

    Hackers are concentrating their efforts on attacking applications on your
    website. Up to 75% of cyber attacks are launched on shopping carts, forms,
    login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
    futile against web application hacking. Check your website for vulnerabilities
    to SQL injection, Cross site scripting and other web attacks before hackers do!
    Download Trial at:

    http://www.securityfocus.com/sponsor/pen-test_050831
    -------------------------------------------------------------------------------

  • Next message: Richard Zaluski: "RE: Solaris/UNIX Network Performance & Security"

    Relevant Pages

    • FW: DNS ACL ?
      ... Subject: DNS ACL? ... queries are sent to the DNS server IP address, ... > Audit your website security with Acunetix Web Vulnerability Scanner: ... Up to 75% of cyber attacks are launched on shopping ...
      (Pen-Test)
    • RE: DNS ACL ?
      ... forget to allow the DNS servers outbound reply. ... Subject: DNS ACL? ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Up to 75% of cyber attacks are launched on shopping carts, forms, ...
      (Pen-Test)
    • RE: DNS ACL ?
      ... 53/UDP is used for DNS Queries and 53/TCP is used for Zone ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Up to 75% of cyber attacks are launched on shopping carts, ...
      (Pen-Test)
    • Re: DNS ACL ?
      ... Exchange use TCP 53 for DNS queries as well, ... For external facing DNS servers ... > Audit your website security with Acunetix Web Vulnerability Scanner: ... Up to 75% of cyber attacks are launched on shopping carts, forms, ...
      (Pen-Test)
    • DNS ACL ?
      ... I need a sanity check regarding DNS ACLs. ... For external facing DNS servers ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Cross site scripting and other web attacks before hackers do! ...
      (Pen-Test)