The importance of using stateful firewall rules on port 53 (DNS)

Scenario

A firewall appliance forwards DNS traffic to the outside world. The traffic generated is e.g. for Server 2008 as per here in Technet, i.e.

Traffic Type Source of Transmission Source Port Destination of Transmission Destination Port
Queries from local DNS server Local DNS server A random port numbered 49152 or above Any remote DNS server 53
Responses to local DNS server Any remote DNS server 53 Local DNS server A random port numbered 49152 or above
Queries from remote DNS server Any remote DNS server A random port numbered 49152 or above Local DNS server 53
Responses to remote DNS server Local DNS server 53 Any remote DNS server A random port numbered 49152 or above

What this means it is that it is necessary for any local DNS server to be able to receive incoming traffic on port 53.

(IP addresses and domain names for example only)

Let’s do a port scan on a remote server (warning, it is illegal to do this without permission) using the nmap command:

# nmap -v ns1.mydomain.co.uk

results in:

Starting Nmap 5.51 ( http://nmap.org ) at 2014-06-11 15:52 BST
Initiating Ping Scan at 15:52
Scanning ns1.mydomain.co.uk (11.12.12.13) [4 ports]
Completed Ping Scan at 15:52, 0.09s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:52
Completed Parallel DNS resolution of 1 host. at 15:52, 0.00s elapsed
Initiating SYN Stealth Scan at 15:52
Scanning ns1.mydomain.co.uk (11.12.12.13) [120 ports]
Discovered open port 53/tcp on 11.12.12.13
Discovered open port 25/tcp on 11.12.12.13
Discovered open port 3389/tcp on 11.12.12.13
Increasing send delay for 11.12.12.13 from 0 to 5 due to 12 out of 38 dropped probes since last increase.
Discovered open port 443/tcp on 11.12.12.13
Discovered open port 22/tcp on 11.12.12.13

What we happen to know about this server, as it is our own, is that it is our DNS server and it is also running ntp on port 123 – but the firewall rules say that ntp (port 123) is not visible to the outside world.

The Twist

The firewall rules do not block traffic from source port 53 as it is required to receive responses from other servers when doing a lookup. What happens if we spoof a packet with a source port or 53 and a destination port of 123?

nmap -v -P0 -sU -p123 ns1.mydomain.co.uk -g 53

Starting Nmap 5.51 ( http://nmap.org ) at 2014-06-11 16:08 BST
Initiating Parallel DNS resolution of 1 host. at 16:08
Completed Parallel DNS resolution of 1 host. at 16:08, 0.00s elapsed
Initiating UDP Scan at 16:08
Scanning ns1.mydomain.co.uk (11.12.12.13) [1 port]
Discovered open port 123/udp on 11.12.12.13
Completed UDP Scan at 16:08, 0.05s elapsed (1 total ports)
Nmap scan report for ns1.mydomain.co.uk (11.12.12.13)
Host is up (0.037s latency).
rDNS record for 11.12.12.13: 13.12.12.11.badservers.com
PORT    STATE SERVICE
123/udp open  ntp
Read data files from: /usr/local/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds
           Raw packets sent: 1 (76B) | Rcvd: 1 (76B)

What happens if we send it to port 124 (nothing is running on this port)?

nmap -v -P0 -sU -p124 ns1.mydomain.co.uk -g 53
Starting Nmap 5.51 ( http://nmap.org ) at 2014-06-11 16:10 BST
Initiating Parallel DNS resolution of 1 host. at 16:10
Completed Parallel DNS resolution of 1 host. at 16:10, 0.00s elapsed
Initiating UDP Scan at 16:10
Scanning ns1.mydomain.co.uk (11.12.12.13) [1 port]
Completed UDP Scan at 16:10, 2.04s elapsed (1 total ports)
Nmap scan report for ns1.mydomain.co.uk (11.12.12.13)
Host is up.
rDNS record for 11.12.12.13: 13.12.12.11.badservers.com
PORT    STATE         SERVICE
124/udp open|filtered ansatrader
Read data files from: /usr/local/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 2.10 seconds
           Raw packets sent: 2 (56B) | Rcvd: 0 (0B)

There is a subtle but important difference here. In the first scenario a response packet was received whereas in the second scenario one was not.

This means that it is possible for an attacker to scan the server for services that appear to be safely behind a firewall. It’s even possible that an attacker could use the scapy library (as used in the ntp DDOS attack) to explore the entire corporate network.

Resolution

Firewall rules must include something like the following (check your port ranges):

IPT=iptables
WANIFACE=my.public.ip4.address
$IPT -I INPUT -i $WANIFACE -p udp --sport 53 -j DROP
$IPT -I INPUT -i $WANIFACE -p tcp --sport 53 -j DROP
$IPT -I INPUT -i $WANIFACE -p udp --dport 1024:65535 --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -I INPUT -i $WANIFACE -p tcp --dport 1024:65535 --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -I OUTPUT -o $WANIFACE -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -I OUTPUT -o $WANIFACE -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT 
This entry was posted in DNS, Exploits, Linux, Microsoft, Networks, PCI, Vulnerabilities. Bookmark the permalink.

Comments are closed.