Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Message-Id: <5.2.0.9.2.20030304151606.02bfc730@pop3.cris.com>
X-Sender: rrschulz AT pop3 DOT cris DOT com
Date: Tue, 04 Mar 2003 15:33:26 -0800
To: rouilj AT ieee DOT org, cygwin AT cygwin DOT com
From: Randall R Schulz <rrschulz AT cris DOT com>
Subject: Re: why is bash trying to access my DNS? [OT]
In-Reply-To: <200303041638.LAA18978@cs.umb.edu>
References: <Your message of "04 Mar 2003 09:13:02 GMT." <1046769182 DOT 11532 DOT ezmlm AT cygwin DOT com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed

John,

I get it.

Well, on my system, running Norton Personal Firewall, each distinct 
programm that attempts to access the Internet or to which a connection 
is attempted (and which is not known to be and has not been granted 
access rights) produces an alert. I take it this much is like ZoneAlarm.

In NPF one can continue to individually grant and deny these attempts 
or choose to grant or deny them "forever" (which just causes a new rule 
to be added to NPF's database--those rules can be edited.) NPF also has 
a "zones" notion that allows different protection regimes to be applied 
to different zones. Zones are defined by IP addresses or ranges 
thereof. I never reflexively hit "grant" on those alerts. Most of the 
time if I'm going to grant (not deny), I'll make it a rule and not have 
to bother again.

NPF seems to know in detail (beyond just file name) the applications to 
which its rules apply, since when I re-install something (say wget) 
using the updated application triggers an alert from NPF again.

Perhaps the free version of ZoneAlarm does not provide as flexible or 
readily accessible a facility for defining new access control rules? 
All I really recall about it was that it (I was actually using one of 
the "premium" non-free($) versions) caused my system to lock up when I 
used Internet Connection Sharing. That was a couple of years ago. I 
dumped it after a couple of those incidents.

Randall Schulz


At 08:38 2003-03-04, John P. Rouillard wrote:

> >On Mon, 2003-03-03 at 23:59, Randall R Schulz wrote:
> >> Geoffrey,
> >>=20
> >> Exactly what sneaky data can get sent in a DNS request?
> >> [...]
> >
> >Actually, plenty.  Historically, Bind has been easily hacked.  Although
> >it's been a while since a good vulnerablity was found in Bind, that
> >doesn't mean there's not an unknown hole in it which could be exploited.
> >
> >However, in order to exploit such a hole, the attacking system has to
> >be, in one way or another, "owned".  Anybody with the presence of mind
> >to be running ZoneAlarm (or something similar) would certianly know if
> >there system(s) had been compromised in such a fashion.
>
>Why is everybody assuming that a random host on the internet is running
>a dns server on port 53? Consider this senario:
>
>   I put my machine on the internet. I then put a udp listener at port
>   53.  I then distribute software that knows how to create a udp packet
>   to port 53 on my host. I can send anything I want to to that port,
>   files, passwords, registry entries... Just because its going to a
>   DNS port does not mean that its DNS data. It just means that its
>   data for the service at that particular IP Address/Port number.
>
>Now if you filter to certain hosts that you KNOW are running dns on
>port 53, then that is different. However that means you must keep
>updating the filter lists since I know my ISP changes my DNS servers
>almost every time I dial up. (My guess is they have a couple of DNS
>server per class C subnet/POP, but that's just a guess).
>
>Running ZoneAlarm gives you a hint that something bad may be going on
>when a program that shouldn't be making DNS queries starts making
>them.  Or alternatively starts making queries tothe DNS port
>on joe blow's computer rather than a local network computer.
>
>                 -- rouilj
>John Rouillard


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/