Re: port 53, please help!

From: sponge (yosponge_at_yahoo.com)
Date: 07/13/03 

Date: 13 Jul 2003 07:41:01 -0700

On Sat, 12 Jul 2003 18:08:53 -0500, DamPlastic <0> wrote:

>In article <83bb1d7b.0307111403.e1a4666@posting.google.com>,
>tyccea@charter.net says...
>> Win98, AOL 8 DSL, Sygate Personal Firewall (free edition)
>>
>> I blocked all incoming/outgoing UDP on port 53, but I still see in
my
>> firewall log that UDP is allowed both ways. I blocked traffic on
>> other ports and that traffic remains blocked. I have checked and
>> re-checked the Advanced Rules on the firewall, and it always shows
>> port 53 as blocked. I have the latest trojan scanner and an
updated
>> database for it (similarly for my AVG anti-virus...but it checks by
>> heuristics, if I'm not mistaken). These tools never find anything
>> strange.
>> I searched google & altavista for "port 53", "port assignments",
"port
>> security", "ports backdoors", "ports trojans", "trojan port 53",
>> "backdoor port 53", etc., etc... I don't know what else to search
for,
>> lol. I searched for almost 5 hours yesterday.
>> I just don't want to find out that I have some re-compiled version
of
>> a backdoor on my pc, or a sniffer on my line.
>> wtf? What am I doing wrong? ...I'm still a real newbie here;
haven't
>> tried to use a sniffer or anything like that on my comp, so I
really
>> don't know what to do.
>>
>> Any help or flame is appreciated. Thanx.
>>
>Well, the answer(s) to the port 53 issue is defined here based on
>about a half dozen configurations.
>
>"The DNS-shaped holes that one cuts into firewalls."
>http://homepages.tesco.net/~J.deBoynePollard/FGA/dns-shaped-firewall-
>holes.html
>
>I wish someone with a "PHD in computers" could tell us what it means
>to folks with a Win98 connected thru a firewall to internet.
>Such as TCP/UDP, in/out, local/remote port numbers, etc so we
>could write an advanced firewall rule (allow DNS and block malware).
>Thanks

I cover this at my site. Take a look if you want:
www.geocities.com/yosponge/fw/fwmain.html
It's still in the works, and right now I only have instructions
specific to Keril.

In a nutshell, find out the IP addresses of all your DNS servers. You
can usually get that from your ISP. If you're impatient, you can also
set up a rule in your firewall, while you're online, to deny all
traffic to port 53 (remote; that is, deny all traffic going to another
machine on port 53). Make sure the rule is set up to alert you when
something gets stopped by it. Try typing in a domain name or two, and
write down the IP addresses blocked.

Now, create a rule in your firewall as follows:
Rule Name: Allow DNS #1
Direction: BOTH
Protocol: UDP
Local Port: ANY
Application: ANY
Remote IP Address: SINGLE ADDRESS (enter one of the IP addresses for
one of your DNS servers)
Remote Port: 53
Action: PERMIT

Repeat this for each DNS server IP address you have.

Move the rule your created to block all DNS traffic down below the
rules you just created allowing DNS. If you didn't do that, create
one, as follows, making sure it is located BELOW the Allow DNS rules:

Rule Name: Block All DNS
Direction: BOTH
Protocol: UDP (and TCP, too, if you like)
Local Port: ANY
Application: ANY
Remote IP Address: ANY
Remote Port: 53
Action: DENY

It helps to run each IP address for your DNS servers through
www.samspade.org and see if they really do belong to your ISP. Some
spyware, like Lop/C2Media, and possibly others, hijack your DNS
settings and point them to one of their DNS servers, so you don't want
to permit that.

This is good enough for most setups. You can always tweak it by
restricting local ports to a range of 1024-10000. If you use a
proxying DNS server, like DNSKong (which is a great ad- and
spyware-blocker, by the way), you can set that app up as the only
application allowed to do DNS. Make sure to set the IP addresses of
your DNS servers in it's Proxy DNS field, and you'll have quite
formidable protection against DNS hijacking. Not to mention malware.

Sponge
Sponge's Security Site
www.geocities.com/yosponge

Relevant Pages

  • Website setup questions.
    ... Create firewall rule to direct HTTP port 80 to the SBS External NIC ... Create firewall rule to point DNS port 53 to the SBS External NIC ... NICS to get this request to not timeout or be refused. ...
    (microsoft.public.windows.server.sbs)
  • Re: router security
    ... Is it a stateless firewall, or does it do "Stateful Packet Inspection" ... Or does it just build a general network address translation? ... For example, if you had a DNS server running on your Debian machine, ... approach of using UDP port 53 as the source port for the outgoing ...
    (comp.security.misc)
  • Re: Public DNS names for SBS 2K3 - Question
    ... In what document did you find these recommendations for DNS names. ... > you're using, if you are using standard ports, the port is ... >>firewall and routed them to the same port on the SBS ... > document it recommends ...
    (microsoft.public.windows.server.sbs)
  • Re: Directory Service Event 1311
    ... The main issue was DNS. ... I had to point all DNS servers, ... port query tool to see what was being filtered. ... NLTEST is a support tool. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Event ID: 5504
    ... User Datagram Protocol, Src Port: 1273, Dst Port: domain ... Authority RRs: 0 ... and if its an issue with the Windows DNS ... > assuming (none of us have asked your config yet) that you have all your ...
    (microsoft.public.win2000.dns)