IPCHAINS Help
Brian Russo
brusso at phys.hawaii.edu
Thu Oct 18 09:19:18 PDT 2001
On Wed, Oct 17, 2001 at 06:55:56AM +0000, Ben Beeson wrote:
> Dusty, Brian and Warren,
> Thanks for your help. The answer to Warren's question is that I am
> seeing a few more port scans on port 53 from the far flung regions of the
I'm uncertain what you mean by "on port 53".
src_port = 53?
or
dst_port = 53?
If they're coming from src_port 53, to some arbitrary port on your
side, you can permit src_port 53 only from the DNS servers you
expect to use, and block all others.
If they're coming from an arbitrary port, to dst_port 53, you can
just block all incoming to 53 (assuming you dont have an externally
visible NS)
Blocking packets incoming to port 53, should not impact DNS.
query:
resnet4-32.housing.hawaii.edu.32825 > postoffice.netpath.net.domain: 10454+ A? carolina.com.
response:
postoffice.netpath.net.domain > resnet4-32.housing.hawaii.edu.32825: 10454* 1/2/0 A node60-197.netpath.net
We can see that the outgoing query is made to the DNS server on it's
port 53, and is src_port'd from 53 in the reply.
Port 53 never comes into play on the client's side, an arbitrary
port (32825 in thie case) is used.
Keep in mind if you do block src_port 53, even permitting your ISP's
nameserver's through, its possible that some applications could
break, e.g. "dig @some.unpermitted.dns.server IN A foo.com" would
break - note that dig some.unpermitted.dns.server IN A foo.com would
not break..
Anyway, its 6.17, I'm not allowed to be up this early, if something
is unclear or just plain wrong, its probably my fault ;)
- bri
--
Unix Staff, High Energy Physics Group <brusso at phys.hawaii.edu>
Debian/GNU Linux! http://www.debian.org <wolfie at debian.org>
More information about the LUAU
mailing list