dslreports logo
site
spacer

spacer
 
    All FAQs Site FAQ DSL FAQ Cable Tech About DSL Distance DSL Hurdles »»
spc

spacer




how-to block ads



DNS is essential to connectivity. However, the rule Tiny supplies is less secure than we want it to be. As it is written, it could allow a hostile app to find a back door in your firewall. Allowing DNS connectivity is mandatory for all Internet users.

To tighten it up, you first need to know the IP address of the DNS servers your ISP assigns to you. This is usually found in your TCP-IP setup under "Network" in the control panel. If the addresses are directly next to each other, you will be able to just change the default rule from "any remote host, remote port 53" to "IP range [the two addresses you found in DNS setup]." Now, one of the limitations of Tiny is that it can't process lists of IPs, only ranges and netmasks. A range or netmask may be desirable or acceptable in some special situations. If your IPs aren't a range, you can just duplicate the rule for the backup DNS server.

For reference, the standard rule for DNS is:

ALLOW
both directions
UDP*
application ANY
local port ANY
single remote port 53
single remote address [my.isp.dns.ip]**
nolog - noalert

Notes: *To allow a "dig" application to use a nameserver requires that TCP as well as UDP be enabled. **It may be necessary to use two or more rules if your ISP uses non-contiguous nameserver addresses. In general, it's not unusual for an ISP to change DNS servers in some circumstances; this can be provided for by placing a rule like this below all of the DNS allows:

DENY
both TCP/UDP
application ANY
local port ANY
single remote port 53
any remote address
log - alert

Finally, some software apps will poll a foreign DNS server as part of their operation. If you see a recurring deny alert every time a certain app runs, you can verify this in your documentation. Verify that the IP the app is contacting is a valid nameserver -- remember, hostile apps and trojans can "spoof" common remote ports to confuse you! Having verified, allow the app name resolution with a rule like this:

ALLOW
UDP*
application [the name of specialty app you're running]
local port ANY
single remote port 53
single remote address [the correct nameserver for that app]
nolog - noalert

position: high

021102-512

Expand got feedback?

by gwion See Profile edited by JMGullett See Profile
last modified: 2007-06-29 15:24:20