Comments on: QQ Updates on Dns Port over Http? http://blog.threatfire.com/2008/07/qq-updates-on-dns-port-over-http.html ThreatFireâ„¢ AntiVirus protects when others can't Fri, 06 Nov 2009 17:43:38 -0600 http://wordpress.org/?v=2.8.4 hourly 1 By: Johan http://blog.threatfire.com/2008/07/qq-updates-on-dns-port-over-http.html/comment-page-1#comment-43 Johan Wed, 16 Jul 2008 09:55:00 +0000 http://newblog.threatfire.com/2008/07/qq-updates-on-dns-port-over-http/#comment-43 They abuse a common error in firewall building, to allow tcp connections from the inside to the world.<br/>There are two options for network-admins:<br/>1. Start using an application layer firewall, instead of a packetfilter. <br/>2. If you can not upgrade to an application layer firewall, make your rules tighter: For example, configure a dns server inside your network and only let that server talk to the outside on port 53, or even better, configure forwarding to 2 specific dns-servers from your ISP, and let them handle all the lookups and forward you the result.<br/><br/>BTW: resolving dns is only done over UDP, only synching zone-files you need tcp. So if you do not host a dns-server, you can close the tcp connections on port 53. They abuse a common error in firewall building, to allow tcp connections from the inside to the world.
There are two options for network-admins:
1. Start using an application layer firewall, instead of a packetfilter.
2. If you can not upgrade to an application layer firewall, make your rules tighter: For example, configure a dns server inside your network and only let that server talk to the outside on port 53, or even better, configure forwarding to 2 specific dns-servers from your ISP, and let them handle all the lookups and forward you the result.

BTW: resolving dns is only done over UDP, only synching zone-files you need tcp. So if you do not host a dns-server, you can close the tcp connections on port 53.

]]>