firewall blocking 53

Armin Safarians armin.safarians at safeway.com
Wed Aug 7 19:35:00 UTC 2002 

I believe one of the emails answered my question. The random port is
assigned and used for the duration. I understood that as a random one is
selected every time. I do agree with your statement below. I will speak
to the firewall staff and this will need to be resolved on their side.

Thanks you all.
AMS :-)

-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
Behalf Of Pete Ehlke
Sent: Wednesday, August 07, 2002 12:20 PM
To: bind-users at isc.org
Subject: Re: firewall blocking 53



On Wed, Aug 07, 2002 at 02:49:48PM -0400, Eric L. Howard wrote:
> 
> Agreed...but if named's default timeout = 30 seconds and Firewall-1 
> default timeout = 40 seconds...where's the misconfiguration that cuts 
> off services that are business critical?
> 
It's UDP; there's no facility for closing the connection that the
firewall can use to understand whether the name server has given up. 
If the name server sends my home machine a query (i drop port 53
inbound, along with almost everything else), that query will time out on
the name server, but from what's been said of FW-1 here, the firewall
has no way of knowing that, and in this configuration it cuts off the
name server. "That's bad, Gir."

> If he pushed up the default timeout on the nameserver, but didn't talk

> to the firewall folks about services that traverse the firewall (what 
> decent firewall doesn't implement a timeout on dead/waiting 
> connections?), then the misconfiguration is on the nameserver end.
> 
No, the misconfiguration is in deciding that a timed out UDP session
should cause the name server to be blocked. You can time out UDP if you
want; it's probably even a good idea. But using the fact that a datagram
from your internal name server to a remote machine's port 53 timed out
to decide to block further communication from that server, well, I stand
by my original statement. You just shot yourself in the foot. The Denial
of Service attack is left as a trivial exercise for the reader.

-Pete


-P.



"WorldSecure Server <safeway.com>" made the following
 annotations on 08/07/02 13:47:35
------------------------------------------------------------------------------
Warning: 
All e-mail sent to this address will be received by the Safeway corporate e-mail system, and is subject to archival and review by someone other than the recipient.  This e-mail may contain information proprietary to Safeway and is intended only for the use of the intended recipient(s).  If the reader of this message is not the intended recipient(s), you are notified that you have received this message in error and that any review, dissemination, distribution or copying of this message is strictly prohibited.  If you have received this message in error, please notify the sender immediately. 
  

==============================================================================

More information about the bind-users mailing list