[dns-operations] "Cybercrooks exploiting new Windows DNS flaw"
Roland Dobbins
rdobbins at cisco.com
Fri Apr 13 20:26:17 UTC 2007
On Apr 13, 2007, at 1:23 PM, Stasiniewicz, Adam wrote:
> But the firewall rule is always UDP 53 inbound allow, drop
> everything else. It goes without saying that there are also
> stateful packet inspection rules.
This is categorically untrue. Many DNS servers have no firewalls at
all in front of them (and rightly so, to avoid the DoS vector
resulting from the additional sate), and as to the posited filtering
policy, this is far from universal (it breaks truncate mode, for one
thing).
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at cisco.com> // 408.527.6376 voice
Words that come from a machine have no soul.
-- Duong Van Ngo
More information about the dns-operations
mailing list