|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: DNS and TCP/IP security
Subject: Re: DNS and TCP/IP security
From: cbrenton (cbrenton
SOVER.NET)
Date: Tue Dec 14 1999 - 21:24:17 CST
- Next message: Bronek Kozicki: "Re: DNS and TCP/IP security"
- Previous message: Matthew Spool: "DNS and TCP/IP security"
- In reply to: Matthew Spool: "DNS and TCP/IP security"
- Next in thread: Bronek Kozicki: "Re: DNS and TCP/IP security"
- Reply: cbrenton: "Re: DNS and TCP/IP security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Tue, 14 Dec 1999, Matthew Spool wrote:
> I'm having some problems getting DNS to work correctly when configuring NT
> TCP/IP security. I'm restricting TCP ports to 80 and 443, UDP ports to 53,
> and IP Protocols to 6 and 17. For some reason, my machine will no longer
> resolve host names.
Makes sense since you are blocking the required ports. ;)
When your system transmits a DNS query, you are using the following:
source port < 1023
destination port = 53
So when the reply comes back, its going to try and reach your system using
a port above 1023. According to the above, you have blocked these ports
(you only enabled UDP/53).
To verify what I'm talking about, launch a session and do a:
netstat -a |more
You'll see that your system is expecting a reply on a port above 1023.
Note the reason that you are not having an identical problem with TCP is
because filtering only works on traffic where SYN=1. Since this would not
be the case for your HTTP replies (SYN=1 is only for connection
establishment), the filters are bypassed. Note this means that TCP
filtering is pretty useless against advanced scanning trick (I could still
figure out if NetBIOS/IP is listening). UDP has no flags to announce state
so you actually end up blocking all unspecified UDP traffic.
So what do you do?
1) Create an entry for every port from 1024-10000
2) Install RRAS and use its filtering instead
> I have also tried it
> allowing TCP port 53 as sometimes DNS will use TCP instead of UDP.
Yup. Why a reply will be greater than 512 bytes, TCP is used. Best to
enable this as well.
Cheers,
Chris
-- ************************************** cbrenton* Multiprotocol Network Design & Troubleshooting http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet * Mastering Network Security http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
- Next message: Bronek Kozicki: "Re: DNS and TCP/IP security"
- Previous message: Matthew Spool: "DNS and TCP/IP security"
- In reply to: Matthew Spool: "DNS and TCP/IP security"
- Next in thread: Bronek Kozicki: "Re: DNS and TCP/IP security"
- Reply: cbrenton: "Re: DNS and TCP/IP security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b27 : Tue Dec 14 1999 - 22:24:39 CST