This is the mail archive of the cygwin@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: why is bash trying to access my DNS? [OT]


John,

I get it.

Well, on my system, running Norton Personal Firewall, each distinct programm that attempts to access the Internet or to which a connection is attempted (and which is not known to be and has not been granted access rights) produces an alert. I take it this much is like ZoneAlarm.

In NPF one can continue to individually grant and deny these attempts or choose to grant or deny them "forever" (which just causes a new rule to be added to NPF's database--those rules can be edited.) NPF also has a "zones" notion that allows different protection regimes to be applied to different zones. Zones are defined by IP addresses or ranges thereof. I never reflexively hit "grant" on those alerts. Most of the time if I'm going to grant (not deny), I'll make it a rule and not have to bother again.

NPF seems to know in detail (beyond just file name) the applications to which its rules apply, since when I re-install something (say wget) using the updated application triggers an alert from NPF again.

Perhaps the free version of ZoneAlarm does not provide as flexible or readily accessible a facility for defining new access control rules? All I really recall about it was that it (I was actually using one of the "premium" non-free($) versions) caused my system to lock up when I used Internet Connection Sharing. That was a couple of years ago. I dumped it after a couple of those incidents.

Randall Schulz


At 08:38 2003-03-04, John P. Rouillard wrote:


>On Mon, 2003-03-03 at 23:59, Randall R Schulz wrote:
>> Geoffrey,
>>=20
>> Exactly what sneaky data can get sent in a DNS request?
>> [...]
>
>Actually, plenty.  Historically, Bind has been easily hacked.  Although
>it's been a while since a good vulnerablity was found in Bind, that
>doesn't mean there's not an unknown hole in it which could be exploited.
>
>However, in order to exploit such a hole, the attacking system has to
>be, in one way or another, "owned".  Anybody with the presence of mind
>to be running ZoneAlarm (or something similar) would certianly know if
>there system(s) had been compromised in such a fashion.

Why is everybody assuming that a random host on the internet is running
a dns server on port 53? Consider this senario:

  I put my machine on the internet. I then put a udp listener at port
  53.  I then distribute software that knows how to create a udp packet
  to port 53 on my host. I can send anything I want to to that port,
  files, passwords, registry entries... Just because its going to a
  DNS port does not mean that its DNS data. It just means that its
  data for the service at that particular IP Address/Port number.

Now if you filter to certain hosts that you KNOW are running dns on
port 53, then that is different. However that means you must keep
updating the filter lists since I know my ISP changes my DNS servers
almost every time I dial up. (My guess is they have a couple of DNS
server per class C subnet/POP, but that's just a guess).

Running ZoneAlarm gives you a hint that something bad may be going on
when a program that shouldn't be making DNS queries starts making
them.  Or alternatively starts making queries tothe DNS port
on joe blow's computer rather than a local network computer.

                -- rouilj
John Rouillard


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]