Vulnerability to cache poisoning -- the rest of the solution

Jeff Lightner jlightner at water.com
Mon Jul 14 15:32:05 UTC 2008


OK maybe I missed something.

We were only allowing port 53 outside the firewall (confirmed by the
Network folks).   We've been doing lookups for external sites fine
despite that.   Was the discussion in current thread about that or
something else?

You mention transfer.   The only transfers I'm aware of are on a
separate interface (internal DMZ) for zone transfers between master and
slave DNS servers.   

Also my Network admin is asking for clarification of what needs to be
opened for the port randomization.   He thinks it should only be ports
above 1024.
1)  Is that correct?  If not is there a range that is correct?
2)  Is this udp AND tcp?   
Earlier posts had led me to believe it was only udp but the current
thread makes it sound like it should be both.

He's ready to open whatever I tell him but I don't see any point in
opening up ports that won't be used.

-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
Behalf Of Alan Clegg
Sent: Monday, July 14, 2008 10:44 AM
To: bind-users at isc.org
Subject: Re: Vulnerability to cache poisoning -- the rest of the
solution

Jeff Lightner wrote:
> If that's the case why wouldn't we have needed to open firewall to
allow
> this behavior for tcp?
You would have.  Unless you never had (functional) DNS queries/transfers
over TCP.

AlanC
----------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
----------------------------------


More information about the bind-users mailing list