[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-security] IPchains & DNS

Lawrence wrote:

> The problem we are having is that tcp & udp DNS queries are 
> being made to random ports above 1023 on our machine, and
> we get this sort of thing turning in our logs:
> 
> Aug 20 07:17:42 Server kernel: Packet log: input REJECT eth0 PROTO=17
> 206.xx.xx.xx:53 OUR.IP:1054 L=174 S=0x00 I=40463 F=0x4000 T=240 (#33)

This is *return traffic* when your DNS server has made a query to the remote
one! To give an example: You generate an email from a form on your
webserver. This is then processed by Sendmail, which MUST carry out a DNS
lookup to determine the MX record for remote addresses. It does this query
using a port above 1023. You see the responses coming back from remote:53 to
local:1024+ but you're blocking them, which will cause all manner of
problems...

> 1) If it's possible to force external servers to make DNS 
> queries to port 53 only? (I assume not)

They're not queries :)

> 2) If we simply DENY these requests, will it prevent our site 
> from being found? (I assume it will)

Well... it'll slow things down quite dramatically.

> 3) Is there are simple fix for this that I have completely overlooked?

Deny SYN packets to all ports above 1023:

ipchains -I <chain> -p tcp -d <your IP address> \
     --destination-port 1024:65535 --syn -j DENY

That will allow the answers to return to requests made by your machine, but
disallow any other requests on those ports. To be honest, if you're not
running any services on those ports then that rule is needless! A better
rule would be:

ipchains -I <chain> -p tcp -d <your IP address> \
     --source-port 53 --destination-port 1024:65535 !--syn -j ACCEPT

which then accepts - specifically - non-SYN packets from port 53 to any port
above 1023 on your machine.

HTH

Graeme
-- 
Graeme Fowler
System Administrator
Host Europe Group PLC