firewall blocking 53
Pete Ehlke
pde at ehlke.net
Wed Aug 7 19:20:17 UTC 2002
On Wed, Aug 07, 2002 at 02:49:48PM -0400, Eric L. Howard wrote:
>
> Agreed...but if named's default timeout = 30 seconds and Firewall-1 default
> timeout = 40 seconds...where's the misconfiguration that cuts off services
> that are business critical?
>
It's UDP; there's no facility for closing the connection that the
firewall can use to understand whether the name server has given up.
If the name server sends my home machine a query (i drop port 53
inbound, along with almost everything else), that query will time out on
the name server, but from what's been said of FW-1 here, the firewall
has no way of knowing that, and in this configuration it cuts off the
name server. "That's bad, Gir."
> If he pushed up the default timeout on the nameserver, but didn't talk to
> the firewall folks about services that traverse the firewall (what decent
> firewall doesn't implement a timeout on dead/waiting connections?), then the
> misconfiguration is on the nameserver end.
>
No, the misconfiguration is in deciding that a timed out UDP session
should cause the name server to be blocked. You can time out UDP if you
want; it's probably even a good idea. But using the fact that a datagram
from your internal name server to a remote machine's port 53 timed out
to decide to block further communication from that server, well, I stand
by my original statement. You just shot yourself in the foot. The Denial
of Service attack is left as a trivial exercise for the reader.
-Pete
-P.
More information about the bind-users
mailing list