The "not long discussion" thread....
I posted to NANOG:
Jerry Pasker <info@n-connect.net> wrote:
fine. (after a few tries) I'm using BIND 9.2.4 without the eye pee vee six stuff compiled in. Because I don't want to start something; No discussion about me blocking port 53, ok? I got tired of gobs of log files of script kiddies trying to download my domains 5 years ago...
Steve Sobol replied with:
I'm not going to enter into a long discussion with you. :)
I'm just curious why you didn't restrict AXFR to certain IPs instead.
And I'm posting back to NANOG: I did. And I had router ACLs doing the same thing. Allow to hosts that needed it, deny for everyone else. And I did this to ALL my DNS servers. I was getting DoSed one day, somewhere in the whereabouts of about 2001, and put in the ACLs, immediately expecting it to break things. (truncated responses needing TCP and/or other things that I didn't foresee). Much to my dismay, it broke nothing. Despite me looking for problems, and asking and pleading my techies to find trouble tickets related to this issue, it didn't happen. I revisited the issue periodically. Every time there was an unexplained DNS issue, I would think "it must be the port 53 block!" but alas, I was disappointed each and every time. I've removed and added the ACLs countless times over the years trouble shooting various DNS issues, but this is the first time that removing them actually solved anything. See, I *WANTED* there to be a problem in blocking port 53, I *BELIEVED* all the talk that it would cause problems, but that problem never showed up. Over the years, eventually I just slowly arrived at the conclusion that all the talk were from people who talked, not from people who were brave enough to try it in a production environment. 4 years later, I was proved "inconclusive": Blocking port 53 does break things to servers that are already (apparently?) broken. -Jerry
Jerry Pasker wrote:
Steve Sobol replied with:
I'm not going to enter into a long discussion with you. :)
I'm just curious why you didn't restrict AXFR to certain IPs instead.
And I'm posting back to NANOG:
I did.
And I had router ACLs doing the same thing. Allow to hosts that needed it, deny for everyone else. And I did this to ALL my DNS servers.
What were the router ACLs doing that the DNS server ACLs weren't/couldn't? -- JustThe.net - Apple Valley, CA - http://JustThe.net/ - 888.480.4NET (4638) Steven J. Sobol, Geek In Charge / sjsobol@JustThe.net / PGP: 0xE3AE35ED "The wisdom of a fool won't set you free" --New Order, "Bizarre Love Triangle"
On Tue, 26 Apr 2005, Steve Sobol wrote:
Jerry Pasker wrote:
Steve Sobol replied with:
I'm not going to enter into a long discussion with you. :) I'm just curious why you didn't restrict AXFR to certain IPs instead.
And I had router ACLs doing the same thing. Allow to hosts that needed it, deny for everyone else. And I did this to ALL my DNS servers.
What were the router ACLs doing that the DNS server ACLs weren't/couldn't?
This, it seems, was an unfortunate side effect (as I pointed out earlier) of legacy software and legacy config... if I had to guess.
Steve Sobol allegedly replied to my reply with:
What were the router ACLs doing that the DNS server ACLs weren't/couldn't?
The ACLs were doing it for the entire server network. Since I prefer my job as a router-rat over everything else I do, I find it easiest to use the biggest hammer available to me when dealing with DoS attacks. One router ACL vs. 10 server ACLs? When I'm under attack I'll take the one router ACL. Then, per their request, I added it to the networks that my collocation clients were on. They were getting 0wn3d regularly, and it really simplified my life in a time when new BIND 8 exploits were coming out every 4 minutes. The router ACLs made my life easier, not harder. Besides, it's my ASN, and I can do what I want. ;-) Christopher L. Morrow allegedly wrote:
This, it seems, was an unfortunate side effect (as I pointed out earlier) of legacy software and legacy config... if I had to guess.
You guess wrong. See the above. And don't pass judgement. (am I being sited for lack of clue? It kind of feels like it) It wasn't a *BAD* thing, it was a *GOOD* thing. It made things better, not worse. I still may go back and re-implement port 53 blocks in the future if I find a good reason to. I know now that it doesn't really cause operational problems. At least not in a smaller ISP environment. Would I want a transit network to block TCP 53? Of course not. But my end customers request those types of services regularly, so I try to provide what they want. And don't think I'm coming off as all ticked off and defensive. I'm not ticked off, I'm actually enjoying this. As for being defensive? Maybe. I'm trying hard not to be though. I really can't help myself........I have this lurking fear that I'm being tossed in to the "clueless block TCP 53 with an outsourced firewall, and don't know what I'm doing beyond that" group that I so despise. ;-) Especially on this list, full of people that I have so much respect for. I knew I was opening myself up a little when I decided to "help out" by sharing my worldnic.com experiences, but figured it was for the good of the group, and therefore, worth it. And I still think that. -Jerry
On Wed, 27 Apr 2005, Jerry Pasker wrote:
Christopher L. Morrow allegedly wrote:
This, it seems, was an unfortunate side effect (as I pointed out earlier) of legacy software and legacy config... if I had to guess.
You guess wrong. See the above. And don't pass judgement. (am I being sited for lack of clue? It kind of feels like it) It wasn't a
no lack of clue meant, just pointing out one possible cause of the acl usage. I don't think I saw the original reasoning in the original email.
*BAD* thing, it was a *GOOD* thing. It made things better, not worse. I still may go back and re-implement port 53 blocks in the future if I find a good reason to. I know now that it doesn't really cause operational problems. At least not in a smaller ISP environment. Would I want a transit network to block TCP 53? Of course not. But my end customers request those types of services regularly, so I try to provide what they want.
Sure, this is a form of 'managed security services' and the custommer (and you) agree to that policy change.
And don't think I'm coming off as all ticked off and defensive. I'm not ticked off, I'm actually enjoying this. As for being defensive? Maybe. I'm trying hard not to be though. I really can't help myself........I have this lurking fear that I'm being tossed in to the "clueless block TCP 53 with an outsourced firewall, and don't know what I'm doing beyond that" group that I so despise. ;-) Especially on this list, full of people that I have so much respect for.
either way, it was just one possibliity of many for the acl to be there, nothing more :)
good of the group, and therefore, worth it. And I still think that.
excellent, it probably helps Patrick, the world-nic folks and others as well :)
participants (3)
-
Christopher L. Morrow
-
Jerry Pasker
-
Steve Sobol