Security Incidents mailing list archives
RE: Pubstro rash
From: "Joshua Berry" <jberry () PENSON COM>
Date: Fri, 18 Mar 2005 09:30:51 -0600
I have never had a DNS query that had a response that was over 512 bytes. For that reason I disable all inbound DNS over 53/tcp. I have been using this configuration for years and even run my own DNS servers and have see absolutely no problems. -----Original Message----- From: Jeff Kell [mailto:jeff-kell () utc edu] Sent: Thursday, March 17, 2005 6:07 PM To: alexandre.skyrme () ciphersec com br Cc: incidents () securityfocus com; gillettdavid () fhda edu Subject: Re: Pubstro rash Alexandre Skyrme wrote:
Greetings David, Just a thought about your third comment... As far as I'm concerned DNS just uses 53/TCP to do zone transfers. In
case
your workstations are on a different network than your DNS servers it
should
probably be safe to block incoming TCP connections to that network on
such
port. Tipically zone transfers would only be used by secondary servers to
update
their own zones from its primary server.
RFC1035 allows 512 bytes for a DNS response (53) but they may now be longer, according to RFC2671 and others. If the DNS query fails or is "truncated", the query may be repeated over TCP. So, 53/tcp is NOT just for zone transfers. Jeff
Current thread:
- RE: Pubstro rash David Gillett (Mar 17)
- RE: Pubstro rash Nick FitzGerald (Mar 17)
- <Possible follow-ups>
- RE: Pubstro rash k levinson (Mar 17)
- RE: Pubstro rash David LeBlanc (Mar 18)
- Re: Pubstro rash Brian Eckman (Mar 28)
- RE: Pubstro rash Joshua Berry (Mar 18)
- Re: Pubstro rash Jeff Kell (Mar 18)
- Re: Pubstro rash Valdis . Kletnieks (Mar 18)