[plug] OT: latest worm affecting bind
Christian
christian at amnet.net.au
Fri Mar 30 15:42:45 WST 2001
On Fri, Mar 30, 2001 at 03:43:41PM +0800, Steve Vertigan wrote:
> Sorry, but that's incorrect. I can do dns queries with port 53 blocked
> for both udp and tcp. Your DNS resolver accepts the query from you on
> port 53 but sends it's query from an unpriviledged port, hence that's
> where the upstream server sends it's reply packet.
> Let me reiterate: the *only* machines that should be allowed to send
> traffic to your port 53 (udp|tcp) are machines that you want to be able
> query -you-. For most people that's your local network if you're just a
> dns cache and the whole world if you're an authoritive nameserver for
> your domain. If y'all still don't believe me have a look at
> http://cr.yp.to/djbdns/faq/orientation.html#firewall
Yeah, sorry, you're right. What I was thinking of is that you need to
allow incoming UDP packets *from* port 53 which effectively means that
you're opening yourself up to any UDP packets anyone cares to send
(within the restrictions of any other rules).
--
DSA 0x0EC1D28C: BBCB 0D79 4EBB 078A A066 7267 8BED E9D6 0EC1 D28C
More information about the plug
mailing list