Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


Re: [FW-1] SmartDefense DNS UDP Protocol Enforcement and BIND 9.2.1
.

  • To: [EMAIL PROTECTED]
  • Subject: Re: [FW-1] SmartDefense DNS UDP Protocol Enforcement and BIND 9.2.1
  • From: Bill Gates <[EMAIL PROTECTED]>
  • Date: Tue, 20 May 2003 23:03:53 -0500
  • Reply-to: Mailing list for discussion of Firewall-1 <[EMAIL PROTECTED]>
  • Sender: Mailing list for discussion of Firewall-1 <[EMAIL PROTECTED]>
.
 
You could simply disable the smart defense for DNS UDP protocol
enforcement, remove the implied rule for allowing UDP DNS, and allow
outgoing DNS recursive queries to simply match UDP_53 (assuming you
trust internal users.)

Then, for incoming queries, create your own protocol enforcement by
using a custom service (other) that provides some simple checks that
match up with RFC1035 for incoming UDP DNS queries.

Such as: create an "other" service, with your own specifics, such as:
IP Protocol: 17
Match: udp, dport=53, packetlen<513, (([UDPDATA+67:1] & 0x0000) &
([UDPDATE+68:1] & 0x0000))

I am a little rusty at this, but basically, requires the packet to be
UDP, destined for port 53, packet size < 513, QR=0, DNS Opcode=0
(standard query), and AA,TC,RD,R,Z and RCODE also zero'd.  I think
(please double check before implementing in a critical environment)
this should be the format of a simple incoming request.  Read RFC1035
(Section 4.1.1) for format details and get as specific as your
paranoia requires.

>From a security perspective I don't like the EDNS0 extension, the
extension states that the server scales its response to contain as
many records as requested from the client... Just doesn't seem like a
good idea, but regardless...

-- EDNS0 SPECIFICATION QUOTE --
When a DNS server receives a request over the UDP Transport Layer, it
identifies the requestor's UDP packet size from the OPT resource
record (RR) and scales its response to contain as many resource
records as are allowed in the maximum UDP packet size specified by the
requestor.
-- END QUOTE --
>
> Maybe this is a similar issue as with Cisco Pix not handling dns udp
requests >512 bytes as EDNS0 allows larger dns packets:
> http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?
bugid=cscds58726
> > We are running FW-1 NG FP3 with SmartDefense. We just started
> > implementing
> > this configuration and I have noticed that if I turn on the
> > SmartDefense
> > DNS UDP Protocol Enforcement, my BIND 9.2.1 DNS servers
> > behind the firewall
> > can not perform recursive lookups.
> >
> > It would appear that the returned packets from the external
> > DNS servers are
> > getting dropped with SmartDefense claiming that it's "Badly
> > Formed DNS".
> >
> > Any suggestions?

--
William H. Gates
Chairman and Chief Software Architect
Microsoft Corporation
[EMAIL PROTECTED]

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.