nanog mailing list archives
Re: using TCP53 for DNS
From: Nils Ketelsen <nils.ketelsen () kuehne-nagel com>
Date: Thu, 28 Apr 2005 09:25:47 +0200
Patrick W. Gilmore wrote:
In the thread about ns*.worldnic.com, many people were complaining about DNS responses/queries on TCP port 53. At least one DoS mitigation box uses TCP53 to "protect" name servers. Personally I thought this was a pretty slick trick, but it appears to have caused a lot of problems. From the thread (certainly not a scientific sampling), many people seem to be filtering port 53 TCP to their name servers.
I know that many people to block 53/TCP to their nameservers or from their resolvers. Firewall configs are widely based on rumours ("I've heard DNS runs on UDP/53"), not based on protocol definitions. The problem is, that blocking TCP/53 outgoing from your resolver will work in 99% (wild guess) of all cases and therefore if it does not work for resolving manyrecords.example.com it obiviously is the fault of example.com. Many "security experts" believe that 53/TCP is only used for zone transfers. Nils
Current thread:
- using TCP53 for DNS Patrick W. Gilmore (Apr 26)
- Re: using TCP53 for DNS Florian Weimer (Apr 26)
- Re: using TCP53 for DNS Christopher L. Morrow (Apr 26)
- Re: using TCP53 for DNS Florian Weimer (Apr 26)
- Re: using TCP53 for DNS Christopher L. Morrow (Apr 26)
- Re: using TCP53 for DNS Stephane Bortzmeyer (Apr 27)
- Re: using TCP53 for DNS Christopher L. Morrow (Apr 26)
- Re: using TCP53 for DNS Patrick W. Gilmore (Apr 26)
- Re: using TCP53 for DNS Stephane Bortzmeyer (Apr 27)
- Re: using TCP53 for DNS Florian Weimer (Apr 26)
- Re: using TCP53 for DNS Stephane Bortzmeyer (Apr 27)
- Re: using TCP53 for DNS Nils Ketelsen (Apr 28)