Blocking Port 53 TCP
I just read Experimental Storm Worm DNS Blocklist at SANS. The result of such a scheme looks something like this:
These IPs are supposed to be Storm Trojan infected hosts.
As soon as I saw that many records I knew TCP would be involved -- not UDP. Sure enough:
Basically, because so many records are returned, TCP is used. If you maintain a policy that blocks all port 53 TCP traffic because you heard that in a class somewhere, you might not be able to resolve these IPs. I wrote about this in my first book when I provided case studies on normal, suspicious, and malicious traffic using port 53 UDP and TCP.
richard@neely:~$ host basic1.threatstop.com
;; Truncated, retrying in TCP mode.
basic1.threatstop.com has address 221.208.208.28
basic1.threatstop.com has address 221.208.208.27
basic1.threatstop.com has address 221.208.208.26
basic1.threatstop.com has address 221.208.208.25
basic1.threatstop.com has address 221.208.208.24
basic1.threatstop.com has address 221.208.208.23
basic1.threatstop.com has address 221.208.208.22
basic1.threatstop.com has address 221.208.208.21
basic1.threatstop.com has address 221.208.208.20
basic1.threatstop.com has address 221.208.208.19
basic1.threatstop.com has address 221.208.208.18
basic1.threatstop.com has address 221.208.208.17
basic1.threatstop.com has address 221.208.208.16
basic1.threatstop.com has address 221.208.208.15
basic1.threatstop.com has address 221.208.208.14
basic1.threatstop.com has address 221.208.208.13
basic1.threatstop.com has address 221.208.208.12
basic1.threatstop.com has address 221.208.208.11
basic1.threatstop.com has address 221.208.208.10
basic1.threatstop.com has address 221.208.208.9
basic1.threatstop.com has address 221.208.208.8
basic1.threatstop.com has address 221.208.208.7
basic1.threatstop.com has address 221.208.208.6
basic1.threatstop.com has address 221.208.208.5
basic1.threatstop.com has address 221.208.208.4
basic1.threatstop.com has address 221.208.208.3
basic1.threatstop.com has address 221.208.208.2
basic1.threatstop.com has address 221.208.208.1
basic1.threatstop.com has address 221.208.208.0
These IPs are supposed to be Storm Trojan infected hosts.
As soon as I saw that many records I knew TCP would be involved -- not UDP. Sure enough:
Basically, because so many records are returned, TCP is used. If you maintain a policy that blocks all port 53 TCP traffic because you heard that in a class somewhere, you might not be able to resolve these IPs. I wrote about this in my first book when I provided case studies on normal, suspicious, and malicious traffic using port 53 UDP and TCP.
Comments
Should have been a great hint :P
Yes, we have to use TCP because of the list size. However, you only have to allow outbound requests from your firewall or nameserver, not any inbound, so that should not present any security risk to your infrastructure.
For the paranoid, you can sign up for our service, which is free and will provide the same lists even when there isn't a net-emergency. We use a private secure DNS running the latest BIND 9 stable.
I knew it was going to be TCP before I even looked at the traffic. Does that make you happy?
Tom,
Your service is cool -- I was just commenting because I have seen sites who hear "block 53 TCP!" and end up blocking it everywhere, in and out, without thought of the consequences.
I had no doubts about that. I just found it funny you decided to point it out with a screencap of Wireshark.
Anyone that is blocking TCP port 53 outbound should not be allowed to administrate a firewall since they apparently have no clue how any of the protocols they are using work.