firewall blocking 53

Eric L. Howard elh at outreachnetworks.com
Wed Aug 7 20:02:34 UTC 2002 

At a certain time, now past, David Botham spake thusly:
> 
> 
> 
> [clip...]
> > >
> > It's UDP; there's no facility for closing the connection that the
> > firewall can use to understand whether the name server has given up.
> > If the name server sends my home machine a query (i drop port 53
> > inbound, along with almost everything else), that query will time out
> on
> > the name server, but from what's been said of FW-1 here, the firewall
> > has no way of knowing that, and in this configuration it cuts off the
> > name server. "That's bad, Gir."
> > 
> > > If he pushed up the default timeout on the nameserver, but didn't
> talk
> > to
> > > the firewall folks about services that traverse the firewall (what
> > decent
> > > firewall doesn't implement a timeout on dead/waiting connections?),
> then
> > the
> > > misconfiguration is on the nameserver end.
> > >
> > No, the misconfiguration is in deciding that a timed out UDP session
> > should cause the name server to be blocked. You can time out UDP if
> you
> > want; it's probably even a good idea. But using the fact that a
> datagram
> > from your internal name server to a remote machine's port 53 timed out
> > to decide to block further communication from that server, well, I
> stand
> > by my original statement. You just shot yourself in the foot. The
> Denial
> > of Service attack is left as a trivial exercise for the reader.
> 
> I agree with Pete.  If the fw blocks all replies after the first
> timeout, even if the name server sends additional queries, then the fw
> is broke (or at least sucks).  However, I do not think that FW-1

I agree with that statement.  I hope that none of my previous statements
make anyone think that I don't.  My original point was that in this
instance...I didn't (and still don't) think that it's a firewall
misconfiguration.

       ~elh

-- 
Eric L. Howard           e l h @ o u t r e a c h n e t w o r k s . c o m
------------------------------------------------------------------------
www.OutreachNetworks.com                                    313.297.9900
------------------------------------------------------------------------
                    Advocate of the Theocratic Rule

More information about the bind-users mailing list