Date: Wed, 14 Jun 2000 13:46:44 +0300 From: Boris Karnaukh <bk532@iname.com> To: Hugh Ho <hho321@yahoo.com>, freebsd-security@freebsd.org Subject: Re: IPFW rules for DNS? Message-ID: <39476294.5A2D178D@iname.com> References: <20000613014237.10942.qmail@web210.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hugh Ho wrote:
>
> I need to do nslookup quite often, and I have the following IPFW rules which
> allow nslookup to talk to my ISP's DNS server:
>
> allow udp from ${my_ip} to ${dns_server} 53
> allow udp from ${dns_server} 53 to ${my_ip}
>
> Problem with the above rules is that people can pass IPFW if they use UDP port
> 53 with a spoofed IP that matches my ISP's DNS server. Is there a way to fix my
> problem?
You can try to implement keep-state/check-state in your ruleset.
check-state
allow udp from ${my_ip} to ${dns_server} 53 keep-state
I think that approach can shorten period of time when your computer is
opened to udp traffic from outside. Thus you'll be not so vulnerable to
incoming stream of spoofed DNS replies.
--
<Signed>
Boris Karnaukh (mailto:bk532@iname.com)
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?39476294.5A2D178D>