Filter
Top Products
Chapter 2 DNS Service 31
With a copy of your master zone, the hacker can see what kinds of services a domain
offers, and the IP address of the servers that offer them. He or she can then try specific
attacks based on those services. This is reconnaissance before another attack.
To defend against this attack, you need to specify which IP addresses are allowed to
request zone transfers (your slave zone servers) and disallow all others. Zone transfers
are accomplished over TCP on port 53. The method of limiting zone transfers is
blocking zone transfer requests from anyone but your slave DNS servers.
To specify zone transfer IP addresses:
m
Create a firewall filter that allows only IP addresses inside your firewall to access TCP
port 53.
Follow the instructions in “Creating an Advanced IP Filter for TCP ports” in Chapter 3, “IP
Firewall Service.” Use the following settings:
• Allow packet.
• Port 53.
• TCP protocol.
• Source IP is the IP address of your slave DNS server.
• Destination IP is the IP address of your master DNS server.
DNS Service Profiling
Another common reconnaissance technique used by malicious users is to profile your
DNS Service. First a hacker makes a BIND version request. The server will report what
version of BIND is running. He or she then compares the response to known exploits
and vulnerabilities for that version of BIND.
To defend against this attack, you can configure BIND to respond with something other
than what it is.
To alter BIND’s version response:
1 Launch a command-line text editor (like vi, emacs, or pico).
2 Open named.conf for editing.
3 Add the following to the “options” brackets of the configuration file.
version "[your text, maybe ‘we're not telling!’]";
4 Save the config file.
Denial-of-Service (DoS)
This kind of attack is very common and easy to do. A hacker sends so many service
requests and queries that a server uses all of its processing power and network
bandwidth to try and respond. The hacker prevents legitimate use of the service by
overloading it.
LL2351.Book Page 31 Monday, September 8, 2003 2:47 PM