[plug] OT: latest worm affecting bind

Steve Vertigan vertigan at bigfoot.com
Fri Mar 30 15:43:41 WST 2001


Christian wrote:

> > If I read that correctly you're allowing -incoming- connections to your
> > port 53, not a good idea if you're running a vulnerable bind daemon.
> > Later versions of bind, when making an outgoing connection will make it
> > on an unpriviledged port (ie 1024-65536ish) unless explicitly instructed
> > to use port 53
 
> Maybe I'm missing something really obvious but I think you're not
> actually reading it correctly.  UDP is a connectionless protocol so he
> can't possibly be allowing incoming connections.  If you want to receive
> replies to DNS queries then you need to allow incoming UDP packets on
> port 53.

Sorry, but that's incorrect.  I can do dns queries with port 53 blocked
for both udp and tcp.  Your DNS resolver accepts the query from you on
port 53 but sends it's query from an unpriviledged port, hence that's
where the upstream server sends it's reply packet.  
Let me reiterate: the *only* machines that should be allowed to send
traffic to your port 53 (udp|tcp) are machines that you want to be able
query -you-.  For most people that's your local network if you're just a
dns cache and the whole world if you're an authoritive nameserver for
your domain.  If y'all still don't believe me have a look at
http://cr.yp.to/djbdns/faq/orientation.html#firewall
:)
(Although written with djbdns in mind this faq should hold true for
modern binds)

But yes you're right when you say udp is stateless so he's not allowing
"connections".  It was sloppy of me to use that word so I apologise, I
normally think in terms of tcp when I'm talking about firewalling which
I probably shouldn't. :)

Regards,
Steve

-- 
FreeBSD maelstrom.dyn.dhs.org 3.4-STABLE i386
 3:25PM  up 17 days, 23:08, 2 users, load averages: 0.04, 0.03, 0.01
"I don't mind going nowhere as long as it's an interesting path."
		-- Ronald Mabbitt



More information about the plug mailing list