Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Message-Id: <200303041638.LAA18978@cs.umb.edu>
To: cygwin AT cygwin DOT com
Subject: Re: why is bash trying to access my DNS? [OT]
In-Reply-To: Your message of "04 Mar 2003 09:13:02 GMT."
             <1046769182 DOT 11532 DOT ezmlm AT cygwin DOT com> 
Reply-To: rouilj AT ieee DOT org
Date: Tue, 04 Mar 2003 11:38:31 -0500
From: "John P. Rouillard" <rouilj AT cs DOT umb DOT edu>


>On Mon, 2003-03-03 at 23:59, Randall R Schulz wrote:
>> Geoffrey,
>>=20
>> Exactly what sneaky data can get sent in a DNS request?
>> [...]
>
>Actually, plenty.  Historically, Bind has been easily hacked.  Although
>it's been a while since a good vulnerablity was found in Bind, that
>doesn't mean there's not an unknown hole in it which could be exploited.
>
>However, in order to exploit such a hole, the attacking system has to
>be, in one way or another, "owned".  Anybody with the presence of mind
>to be running ZoneAlarm (or something similar) would certianly know if
>there system(s) had been compromised in such a fashion.

Why is everybody assuming that a random host on the internet is running
a dns server on port 53? Consider this senario:

  I put my machine on the internet. I then put a udp listener at port
  53.  I then distribute software that knows how to create a udp packet
  to port 53 on my host. I can send anything I want to to that port,
  files, passwords, registry entries... Just because its going to a
  DNS port does not mean that its DNS data. It just means that its
  data for the service at that particular IP Address/Port number.

Now if you filter to certain hosts that you KNOW are running dns on
port 53, then that is different. However that means you must keep
updating the filter lists since I know my ISP changes my DNS servers
almost every time I dial up. (My guess is they have a couple of DNS
server per class C subnet/POP, but that's just a guess).

Running ZoneAlarm gives you a hint that something bad may be going on
when a program that shouldn't be making DNS queries starts making
them.  Or alternatively starts making queries tothe DNS port
on joe blow's computer rather than a local network computer.

				-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/