RE: permit udp 53

From: Joseph Ezerski (jezerski@xxxxxxxxxxxx)
Date: Sat Jul 13 2002 - 13:47:27 GMT-3

• Next message: Jim Brown: "RE: permit udp 53"
• Previous message: kasturi cisco: "Re: BGP neighbor ....next-hop-unchanged ???"
• Maybe in reply to: kpalmer: "permit udp 53"
• Next in thread: Jim Brown: "RE: permit udp 53"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
I think DNS ZOne Transfers use TCP 53. Lookups use UDP.

-Joe

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Jim Brown
Sent: Saturday, July 13, 2002 9:27 AM
To: 'Yakout esmat'; kpalmer; ccielab@groupstudy.com
Subject: RE: permit udp 53

If I'm not mistaken, in certain cases DNS lookups can use TCP 53. I know
downloads use TCP 53 but depending on the lookup size I believe lookups can
also use TCP 53.

-----Original Message-----
From: Yakout esmat [mailto:yesmat@iprimus.com.au]
Sent: Friday, July 13, 2001 7:39 AM
To: kpalmer; ccielab@groupstudy.com
Subject: RE: permit udp 53

Shouldn't the second line in the access-list be like that:

access-list 105 permit udp [x.x.x.0 0.0.0.255] gt 1023 [x.x.x.0 0.0.0.255]
eq 53 log

Which means that the source udp port number is greater than 1023 and
destination port is UDP 53. Isn't that the way dns works?

I may be totally wrong

Yakout

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
kpalmer
Sent: Saturday, July 13, 2002 10:49 PM
To: ccielab@groupstudy.com
Subject: permit udp 53

For anyone who cares, here's a tested dns filter.
What a moment of incompetence? I mean, I've worked with
PIX on a daily basis and have set my share of perimeter
ACL's. But get me on my home network and all bets are off.

Actually, I think the PIX runs a fixup protocol on DNS, like
FTP,SMTP,etc.
Maybe that's why I drew a blank. Still no excuse.

access-list 105 permit tcp any x.x.0.0 0.0.y.x established
access-list 105 permit udp [x.x.x.0 0.0.0.255] eq 53 [x.x.x.0 0.0.0.255]
gt 1023 log
                              dns servers inside subnets

Log it to test it.

interface serial 1
 ip access-group 105 in

Kip Palmer
kip.palmer@verizon.net
909.374.6865 cell
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Privacy Notice:
This message is intended only for the use of the individual or entity to
whom it is addressed and may contain information that is privileged,
confidential, or exempt from disclosure under applicable federal or
state law. If the reader of this message is not the intended recipient
or the employee or agents responsible for delivering the message to the
intended recipient you are hereby notified that any dissemination,
distribution, or copying of this message is strictly prohibited. If you
have received this communication in error, please return to:
<mailto:kip.palmer@verizon.net> kip.palmer@verizon.net. THANK YOU!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

• Next message: Jim Brown: "RE: permit udp 53"
• Previous message: kasturi cisco: "Re: BGP neighbor ....next-hop-unchanged ???"
• Maybe in reply to: kpalmer: "permit udp 53"
• Next in thread: Jim Brown: "RE: permit udp 53"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Sep 07 2002 - 19:36:28 GMT-3