Odd behavior with blocked DNS

This is a discussion on Odd behavior with blocked DNS within the IPFilter forums, part of the System Security and Security Related category; We allow for stateful DNS queries initiated from behind our firewall, but we block incoming DNS queries (since we don'...


Go Back   Usenet Forums > System Security and Security Related > IPFilter

Reload this Page Odd behavior with blocked DNS

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 08-08-2006
Michael T. Davis
 
Posts: n/a
Default Odd behavior with blocked DNS
We allow for stateful DNS queries initiated from behind our firewall,
but we block incoming DNS queries (since we don't have our own DNS server)
with...

block in quick on fxp0 proto tcp/udp from any to any port = 53 head 53
block return-icmp-as-dest(port-unr) \
in log quick proto udp from any to any group 53
block return-rst in log quick proto tcp from any to any group 53

Our firewall doesn't do NAT (since it's running as a bridge). It's running
under OpenBSD 2.8 w/ IPF v3.3.18 (184). (I know this is incredibly old and
probably dangerous, but at least it's not accessible to the Internet.)

Despite the above rules, TCP port 53 SYN packets are apparently making
it past the firewall, since I'm seeing RST (reset) packets being sent out in
response. (We have "flow logs" from a higher level on our network to show the
SYN packets coming in, so we're confident the RST packets are, in fact, being
sent in response to those and not as the result of some internal address
spoofing or other internal source.) FWIW, our outgoing rules for port 53 look
like this:

block in quick on fxp1 proto tcp/udp from any to any port = 53 head 1053
pass in quick proto udp from $local_subnet to any \
keep state keep frags group 1053
pass in quick proto tcp \
from $local_subnet to any flags S/SAFR keep state keep frags group 1053
block return-icmp-as-dest(port-unr) \
in log quick proto udp from any to any group 1053
block return-rst in log quick proto tcp from any to any group 1053

(This is cleaned up for readability and obscured a little bit.) I seem to
recall reading about a "keep state bug" with older versions of IPF, but I
don't recall any details. Could that be the explanation here? Oddly enough,
I just tried a "telnet <local-IP> 53" from a Windows XP system off-site, and
the firewall blocked and logged the SYN packet right away. What's with this
apparent non-deterministic behavior (or is it tied to the aforementioned "keep
state bug")?

Thanks,
Mike
--
Michael T. Davis (Mike) | Systems Specialist: CBE,MSE
E-mail: davism@ecr6.ohio-state.edu | Departmental Networking/Computing
-or- DAVISM+@osu.edu | The Ohio State University
http://www.ecr6.ohio-state.edu/~davism/ | 197 Watts, (614) 292-6928
Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 10:55 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0