Thursday, September 13, 2007

Blocking Port 53 TCP

I just read Experimental Storm Worm DNS Blocklist at SANS. The result of such a scheme looks something like this:

richard@neely:~$ host basic1.threatstop.com
;; Truncated, retrying in TCP mode.
basic1.threatstop.com has address 221.208.208.28
basic1.threatstop.com has address 221.208.208.27
basic1.threatstop.com has address 221.208.208.26
basic1.threatstop.com has address 221.208.208.25
basic1.threatstop.com has address 221.208.208.24
basic1.threatstop.com has address 221.208.208.23
basic1.threatstop.com has address 221.208.208.22
basic1.threatstop.com has address 221.208.208.21
basic1.threatstop.com has address 221.208.208.20
basic1.threatstop.com has address 221.208.208.19
basic1.threatstop.com has address 221.208.208.18
basic1.threatstop.com has address 221.208.208.17
basic1.threatstop.com has address 221.208.208.16
basic1.threatstop.com has address 221.208.208.15
basic1.threatstop.com has address 221.208.208.14
basic1.threatstop.com has address 221.208.208.13
basic1.threatstop.com has address 221.208.208.12
basic1.threatstop.com has address 221.208.208.11
basic1.threatstop.com has address 221.208.208.10
basic1.threatstop.com has address 221.208.208.9
basic1.threatstop.com has address 221.208.208.8
basic1.threatstop.com has address 221.208.208.7
basic1.threatstop.com has address 221.208.208.6
basic1.threatstop.com has address 221.208.208.5
basic1.threatstop.com has address 221.208.208.4
basic1.threatstop.com has address 221.208.208.3
basic1.threatstop.com has address 221.208.208.2
basic1.threatstop.com has address 221.208.208.1
basic1.threatstop.com has address 221.208.208.0

These IPs are supposed to be Storm Trojan infected hosts.

As soon as I saw that many records I knew TCP would be involved -- not UDP. Sure enough:



Basically, because so many records are returned, TCP is used. If you maintain a policy that blocks all port 53 TCP traffic because you heard that in a class somewhere, you might not be able to resolve these IPs. I wrote about this in my first book when I provided case studies on normal, suspicious, and malicious traffic using port 53 UDP and TCP.

7 comments:

Bert JW said...

;; Truncated, retrying in TCP mode.

Should have been a great hint :P

Threat said...

Tom Byrnes, CTO and founder of ThreatSTOP here.

Yes, we have to use TCP because of the list size. However, you only have to allow outbound requests from your firewall or nameserver, not any inbound, so that should not present any security risk to your infrastructure.

For the paranoid, you can sign up for our service, which is free and will provide the same lists even when there isn't a net-emergency. We use a private secure DNS running the latest BIND 9 stable.

Richard Bejtlich said...

bert jw,

I knew it was going to be TCP before I even looked at the traffic. Does that make you happy?

Tom,

Your service is cool -- I was just commenting because I have seen sites who hear "block 53 TCP!" and end up blocking it everywhere, in and out, without thought of the consequences.

Marcin said...

Reminds me of those sites/people who block ICMP because it can be used for tracert or God forbid, ping of death!

Bert JW said...

Richard:

I had no doubts about that. I just found it funny you decided to point it out with a screencap of Wireshark.

Anyone that is blocking TCP port 53 outbound should not be allowed to administrate a firewall since they apparently have no clue how any of the protocols they are using work.

Anonymous said...

DNS Servers ONLY should be left for TCP/53 connects for zone transfers. Good Security practice is DENY any any eq 53 UDP/TCP -- EXCEPT for your primary & secondary DNS servers.

Richard Bejtlich said...

Anonymous, do you even know what I am talking about with respect to legitimate, non-zone-transfer DNS over TCP?