Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: DNS ACL ?

from [Dario Ciccarone (dciccaro)] Network Security [Permanent Link]
Subject: RE: DNS ACL ?
Date: Wed, 23 Nov 2005 12:56:39 -0500 
Jeff:
 
    we had a similar discussion here with some other people. I hear that
one again and again - 'need TCP to be RFC compliant'. I've checked 1035,
and also "DNS & BIND" by Albitz and Liu - and all I can find is the
*suggestion* for resolvers to retry using TCP, not a *requirement*.
Would sincerely appreciate if you could provide us with an authoritative
reference to try and settle the matter :)
 
    thanks,
    Dario
  


________________________________

        From: Jeff Gercken [mailto:JeffG@kizan.com] 
        Sent: Tuesday, November 22, 2005 9:17 AM
        To: Dario Ciccarone (dciccaro); pen-test@securityfocus.com
        Subject: RE: DNS ACL ?
        
        
        Be aware that if you drop tcp dns traffic you won't be RFC
compliant.  A method of spoof protection is to deny udp requests
indicating to the client they should use tcp.  I know this is employed
by one of Cisco's anti DoS devices.
         
        -jeff

________________________________

        From: Dario Ciccarone (dciccaro) [mailto:dciccaro@cisco.com]
        Sent: Thu 11/17/2005 3:06 AM
        To: pen-test@securityfocus.com
        Subject: FW: DNS ACL ?
        
        

         Guess moderation doesn't work sometimes.
        
        Hi! This is the ezmlm program. I'm managing the
        pen-test@securityfocus.com mailing list.
        
        I'm working for my owner, who can be reached
        at pen-test-owner@securityfocus.com.
        
        I'm sorry, the list moderators for the pen-test list
        have failed to act on your post. Thus, I'm returning it to you.
        If you feel that this is in error, please repost the message
        or contact a list moderator directly.
        
        --- Enclosed, please find the message you sent.
        
        -----Original Message-----
        From: Dario Ciccarone (dciccaro)
        Sent: Saturday, November 12, 2005 12:26 AM
        To: John Hally; pen-test@securityfocus.com
        Subject: RE: DNS ACL ?
        
        Yup.
        
        RFC-1035 specifies that DNS queries should use UDP as transport
- and
        queries are sent to the DNS server IP address, port 53. If the
server
        finds that the answer section is > 512 bytes, it should reply
with at
        most 512 bytes and set the TC bit in the answer. Is up to the
host
        performing the query to retry it using TCP. Check section '4.2.
        Transport' on the RFC.
        
        RFC-2671 ('Extension Mechanisms for DNS (EDNS0)') updates
RFC-2671 and
        allows for packet sizes > 512 when using UDP as transport.
        
        A reference from MS: http://support.microsoft.com/kb/828263
        
        Some queries that might exceed the 512-byte size are those like,
for
        example, www.microsoft.com or www.yahoo.com, due to the number
of A
        records returned.
        
        So, you will probably be OK with only allowing 53/udp to your
DNS
        server.
        
        Thanks,
        Dario
        
        
        
        > -----Original Message-----
        > From: John Hally [mailto:JHally@epnet.com]
        > Sent: Friday, November 11, 2005 8:35 AM
        > To: 'pen-test@securityfocus.com'
        > Subject: DNS ACL ?
        >
        > Hello All,
        >
        > 
        >
        > I need a sanity check regarding DNS ACLs.  For external
        > facing DNS servers
        > you need to allow only udp/53 inbound, correct?  I know
        > tcp/53 is used for
        > zone transfers and requests/replies greater than a certain
        > size, but they
        > shouldn't typically happen for general dns queries correct? 
        >
        > 
        >
        > Thanks in advance!
        >
        >
        >
        > --------------------------------------------------------------
        > ----------------
        > Audit your website security with Acunetix Web Vulnerability
Scanner:
        >
        > Hackers are concentrating their efforts on attacking
        > applications on your
        > website. Up to 75% of cyber attacks are launched on shopping
        > carts, forms,
        > login pages, dynamic content etc. Firewalls, SSL and
        > locked-down servers are
        > futile against web application hacking. Check your website
        > for vulnerabilities
        > to SQL injection, Cross site scripting and other web attacks
        > before hackers do!
        > Download Trial at:
        >
        > http://www.securityfocus.com/sponsor/pen-test_050831
        > --------------------------------------------------------------
        > -----------------
        >
        
        
------------------------------------------------------------------------
------
        Audit your website security with Acunetix Web Vulnerability
Scanner:
        
        Hackers are concentrating their efforts on attacking
applications on your
        website. Up to 75% of cyber attacks are launched on shopping
carts, forms,
        login pages, dynamic content etc. Firewalls, SSL and locked-down
servers are
        futile against web application hacking. Check your website for
vulnerabilities
        to SQL injection, Cross site scripting and other web attacks
before hackers do!
        Download Trial at:
        
        http://www.securityfocus.com/sponsor/pen-test_050831
        
------------------------------------------------------------------------
-------
        
        

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Tunneling RDP traffic over HTTP proxies., Steve McLaughlin
Next by Date:  RE: DNS ACL ?, Dario Ciccarone (dciccaro)
Previous by Thread:  RE: DNS ACL ?, Kyle Quest
Next by Thread:  RE: DNS ACL ?, Dario Ciccarone (dciccaro)
Indexes:  [Date] [Thread] [Top] [All Lists]