[dns-operations] "Cybercrooks exploiting new Windows DNS flaw"

Roland Dobbins rdobbins at cisco.com
Fri Apr 13 20:26:17 UTC 2007

On Apr 13, 2007, at 1:23 PM, Stasiniewicz, Adam wrote:

> But the firewall rule is always UDP 53 inbound allow, drop  
> everything else.  It goes without saying that there are also  
> stateful packet inspection rules.

This is categorically untrue.  Many DNS servers have no firewalls at  
all in front of them (and rightly so, to avoid the DoS vector  
resulting from the additional sate), and as to the posited filtering  
policy, this is far from universal (it breaks truncate mode, for one  

Roland Dobbins <rdobbins at cisco.com> // 408.527.6376 voice

         Words that come from a machine have no soul.

                       -- Duong Van Ngo

More information about the dns-operations mailing list