[plug] OT: latest worm affecting bind
Mike Holland
myk at golden.wattle.id.au
Fri Mar 30 12:23:04 WST 2001
On Fri, 30 Mar 2001, Christian wrote:
> On Thu, Mar 29, 2001 at 05:27:04PM +0800, Steve Vertigan wrote:
> > Mike Holland wrote:
> >
> > > I have the UDP dns port open for receiving replies, as in the HOWTO.
> > >
> > > # Accept DNS answers on privileged port.
> > > ipchains -A input -j ACCEPT -i ppp+ -d 0/0 53 -p udp
> > >
> > > Is that safe? I closed it and bind still seems to work locally, presumably
> > > getting replies back over a TCP connection that my end opened.
> > >
> > > Why might I want the UDP port open, as given in the HOWTO example?
> >
> > If I read that correctly you're allowing -incoming- connections to your
> > port 53, not a good idea if you're running a vulnerable bind daemon.
> > Later versions of bind, when making an outgoing connection will make it
> > on an unpriviledged port (ie 1024-65536ish) unless explicitly instructed
> > to use port 53 which would be why you can still do dns lookups with that
> > line removed. To be thorough you could only allow incoming connection
> > -from- port 53 and -to- an unpriviledged port although you probably want
> > the unpriviledge ports open for other services.
>
> Maybe I'm missing something really obvious but I think you're not
> actually reading it correctly. UDP is a connectionless protocol so he
> can't possibly be allowing incoming connections. If you want to receive
> replies to DNS queries then you need to allow incoming UDP packets on
> port 53.
Thanks Christian. The thing is, DNS still seems to work after I removed
that entry. Bind seems to be happy with just TCP, and no incoming
connections. Maybe this a new feature in bind?
I'll mail you my firewall rules off-list.
--
Mike Holland <mike at golden.wattle.id.au>
--==--
I had no shoes and I pitied myself. Then I met a man who had no
feet, so I took his shoes. -- Dave Barry
More information about the plug
mailing list