[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] IPchains & DNS

Subject: [cobalt-security] IPchains & DNS
From: "Lawrence Frewin of Accommodation.com" <Lawrence@xxxxxxxxxxxxxxxxx>
Date: Mon, 20 Aug 2001 07:31:04 +0100
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

We have a problem with IPchains & DNS queries.

We want to use IPchains to firewall off all ports on our machine apart from
the dozen or so in the sub 150 port range used for services like sendmail &
webserver.

The problem we are having is that tcp & udp DNS queries are being made to
random ports above 1023 on our machine, and we get this sort of thing
turning in our logs:

Aug 20 07:17:42 Server kernel: Packet log: input REJECT eth0 PROTO=17
206.xx.xx.xx:53 OUR.IP:1054 L=174 S=0x00 I=40463 F=0x4000 T=240 (#33)

We have restricted this by only allowing requests for ports above 1023 from
port 53 on an external machine, but this is easily exploitable.

My knowledge of DNS is patchy to say the least. Does anyone know

1) If it's possible to force external servers to make DNS queries to port 53
only? (I assume not)
2) If we simply DENY these requests, will it prevent our site from being
found? (I assume it will)
3) Is there are simple fix for this that I have completely overlooked?

TIA

Lawrence

References:
- Re: [cobalt-security] Cobalt errormessage - swatch_service_subject_ahttp
  - From: Ted Behling

Prev by Date: Re: [cobalt-security] Cobalt errormessage - swatch_service_subject_ahttp
Next by Date: RE: [cobalt-security] IPchains & DNS
Previous by thread: Re: [cobalt-security] Cobalt errormessage - swatch_service_subject_ahttp
Next by thread: [cobalt-security] chattr command on inetd.conf file & the GUI

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index