Re: [suse-security] ipchains-log
I've a Nameserver behind my ipchains-firewall and the log says something about incoming connections to port 53 from port 53. What kind of Nameserver-service is that? I've searched, but found nothing concerning this connections.
It could just be a nameserver querying your nameserver while the source port to use has been configured to 53. This isn't usually the case, but some admin just might have thought that it is a good idea. I wouldn't do it because it obfuscates the logs.
O.K., if I'm on the right trip, udp requests are not bad and its no real hole if i allow them.
If it's tcp and not udp, then someone might have tried to get zone files from you. Then it is interesting, _who_ did that, with which reason.
whats so bad about other people can accessing my zone files? I thought the should do this in order to resolve the Hostname... Or is there only a risk when you have 'internal' zone files on this NS (that's not the case...)? Thanks for help. Max
It could just be a nameserver querying your nameserver while the source port to use has been configured to 53. This isn't usually the case, but some admin just might have thought that it is a good idea. I wouldn't do it because it obfuscates the logs.
O.K., if I'm on the right trip, udp requests are not bad and its no real hole if i allow them.
Caution: Some buffer overflows happened in the past when reading data from a udp socket. The protocol doesn't really matter when it comes to dealing with data from an untrusted source. The fact that the attack may or may not be more difficult doesn't change anything about the fact that it is indeed an attack. Even if you make sure that you only see packets from source port 53 _and_ from your nameserver, this isn't reason enough to trust them - somebody else might have sent them, disguising himself behind the ip address of the nameserver. The bare purpose of dns cache poisoning might be sufficient in a weak setup.
If it's tcp and not udp, then someone might have tried to get zone files from you. Then it is interesting, _who_ did that, with which reason.
whats so bad about other people can accessing my zone files? I thought the should do this in order to resolve the Hostname...
Distinguish between a single dns request (of a single record) and a request to transfer the complete zone. Zone transfers are usually done using port 53 TCP, not udp, so that makes them easier to filter. It's better though to enable xfers for the slave nameservers only.
Or is there only a risk when you have 'internal' zone files on this NS (that's not the case...)?
The information contained therein. Depends on the content on whether to worry about or not.
Thanks for help.
You're welcome.
Max
Thanks,
Roman.
--
- -
| Roman Drahtmüller
-----Ursprungliche Nachricht----- Von: Max Lindner [mailto:ml@lofl.de] Betreff: Re: [suse-security] ipchains-log
whats so bad about other people can accessing my zone files? I thought the should do this in order to resolve the Hostname... Or is there only a risk when you have 'internal' zone files on this NS (that's not the case...)?
Well, normally noone should need to get the total content of your zone-files. Especially if you define subdomains and/or different hosts wihtin your domain, this person could get the info about all the machines in your domain. Maybe he could use this info to look for holes. For resolving hostnames, noone needs your zone-files. resolving is done by the responsible nameserver, normally your one.As I see, you live in Germany. Here is only one server known to try to get all the zone-files. This server does statistics for the RIPE and is within the domain uni-bielefeld.de, if I remember correct. If you get other zone-transfer-requests, this _could_ be a sign for someone trying to get as much info as possible. No bad idea to ask what he needs this info for... and if the answer is not reasonable, disable unallowed zone-transfers. HTH --- Stephan -------------------------------------------- Stephan M. Ott // OKDesign oHG Internet-Providing und Netzwerkmanagement smo@okdesign.de ..... http://www.okdesign.de fon. +49 961 3814139 .. fax. +49 961 3814140 mobil 0171-8351130 ... oder ... 0171-7858064 --------------------------------------------
participants (3)
-
Max Lindner
-
OKDesign oHG Security Webmaster
-
Roman Drahtmueller