|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: DNS and TCP/IP security
Subject: Re: DNS and TCP/IP security
From: David LeBlanc (dleblanc
MINDSPRING.COM)
Date: Wed Dec 15 1999 - 12:22:09 CST
- Next message: luciano: "Infoseek Ultraseek Remote Buffer Overflow"
- Previous message: Bronek Kozicki: "Re: DNS and TCP/IP security"
- In reply to: Bronek Kozicki: "Re: DNS and TCP/IP security"
- Reply: David LeBlanc: "Re: DNS and TCP/IP security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Good work-around - some other things to consider are:
1) Just leave UDP unregulated - you're not exposing much. 135, 137 and 138
are all that's running on that protocol (by default). There have been DoS
attacks against some of these in the past, but I don't think there's
anything substantial that would work now (corrections welcome). Speaking
of things running on UDP, if you're going to do this, one additional step
that you might take would be to cause DCOM to run across TCP. Whether you
want to do this depends on your threat scenario. On a NT 4.0 SP4 or later
machine, dcomcnfg has a default protocols tab that you can use to define
the transports which DCOM can use.
2) Use RRAS filters, or Win2k's IPSec policies also have port filtering
capabilities that should do the job.
3) IMHO, taking this step is overkill for an internal host. If you've got
an external host, put a router or firewall in front of this machine and its
peers. You'll get more flexible router ACLs, and be able to configure what
the machine sees much more closely.
4) Lastly, if there are only a small number of hosts that this machine
deals with, create a hosts file, and now you don't need DNS. If you can
meet the above condition, this is probably simplest and easiest thing to do.
IIRC, there is a port of bind to NT.
The one thing that's missing out of the original post is what the machine's
being used for - I'd have different answers for a home DSL machine than I
would a externally-exposed machine for web site, and for an internal box.
At 12:04 PM 12/15/99 +0100, Bronek Kozicki wrote:
>3) install DNS server locally. Configure this local DNS as "forwarding only"
>to the other (real) DNS. Configure your client software to use local DNS
>server only. Your local DNS will forward query to the real DNS, and receive
>response on UDP (or TCP) port 53 - the one you left uncovered. Of course for
>this to work you need to have DNS server. If your local computer is WinNT
>Srv it's not a problem, but I do not know if BIND can be used in case you
>have WinNT Wrkst. Anyone knows ?
David LeBlanc
dleblancmindspring.com
- Next message: luciano: "Infoseek Ultraseek Remote Buffer Overflow"
- Previous message: Bronek Kozicki: "Re: DNS and TCP/IP security"
- In reply to: Bronek Kozicki: "Re: DNS and TCP/IP security"
- Reply: David LeBlanc: "Re: DNS and TCP/IP security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b27 : Wed Dec 15 1999 - 14:37:52 CST