[Courses] [Security] Firewall theory -- UDP and nameservers

hobbit at aloss.ukuu.org.uk hobbit at aloss.ukuu.org.uk
Wed Mar 20 14:31:11 EST 2002 

On Fri, Mar 15, 2002 at 01:33:40PM -0500 or thereabouts, Raven, corporate courtesan wrote:
> Quoth hobbit at aloss.ukuu.org.uk (Wed, Mar 13, 2002 at 08:04:47PM +0000):
> > Our firewall drops UDP. All of it. There is some complicated thing
> > to do with letting DNS queries work. It can be done, but I'd have
> > to go and investigate to find out how. For all I know, it was 
> > "ask person who runs nameserver to do TCP too".
> 
> 	Heh.  I'd actually love to know how that works.  I can't think
> of any way to get it done without either controlling and custom-hacking
> your external nameserver, or accepting some UDP.
> 
> 	[runs off and asks her local nameserver expert to see if she can
> think of any other way it could be done]
> 
> 	Is it allowing replies to particular UDP queries, but nothing
> else?  If not, I am well and truly stumped.  (And therefore, intrigued.
> [grin])

Of those, I think it's the last suggestion. I asked my husband. And 
didn't understand it well enough to relay here without garbling it. 
So I asked him to write it down. I'll just include it here, and you 
can (with luck) decipher it and explain it to me. It hinges, I think,
on the "some control over nameserver" suggestion, in that there's
a firewall there too. 

Over to Alan's ASCII art:

  Internet --- [ 1-FIREWALL ] --- DNS server --- [ 2-FIREWALL ] --- ME

  #1 has rules that block any packets coming from the internet with 
  source addresses that are local to the DNS,ISP,me (ie spoofed)

  #2 has a specific rule to allow DNS traffic through but only if it 
  orginates from the DNS server. #1 ensures that wasn't spoofed unless 
  the DNS box was compromised. Even then they have a bit of a battle 
  but an attacker could target known UDP services [eg NFS which is port 
  2049 and best blocked anyway]

  There are other tricks you can pull too:
    - Running DNS through a socks proxy
    - Use IPV6 to talk to the nameserver if you have a local IPv6
        connection (great for screwing with a script kiddies mind)
    - Patch glibc to allow you to force TCP DNS - this is great for 
        your own nameserver but if you are using an ISP one don't expect 
        it to make people happy as it reduces the load it can handle a 
        fair bit. Diff below, and add "options tcp" to resolv.conf.

--- resolv/res_init.c~  Wed Jul 18 18:26:20 2001
+++ resolv/res_init.c   Wed Mar 20 01:05:46 2002
@@ -482,6 +482,8 @@
 #endif
                } else if (!strncmp(cp, "inet6", sizeof("inet6") - 1)) {
                        statp->options |= RES_USE_INET6;
+               } else if (!strncmp(cp, "tcp", sizeof("tcp") - 1)) {
+                       statp->options |= RES_USEVC;
                } else if (!strncmp(cp, "rotate", sizeof("rotate") - 1)) {
                        statp->options |= RES_ROTATE;
                } else if (!strncmp(cp, "no-check-names",



(Back to Telsa again now..) I hear more and more about IPv6. I heard
a talk on it several years ago, and as time passed and I heard no more
I presumed it was just one of those neat things which wasn't going to 
take off after all. Now I have forgotten everything from the talk, of 
course, suddenly everyone's talking about it again. Unfair, I call it.

Anyway, that's the "securing nameserver traffic" thing, but I'm still
not sure how it works. I do know that if the nameserver or the network
between here and it goes away, I can't just change the nameserver address 
in /etc/resolv.conf and expect things to work. I just have to put up 
with it until it comes back.

Telsa

More information about the Courses mailing list