nanog mailing list archives
Re: large organization nameservers sending icmp packets to dns servers.
From: Donald Stahl <don () calis blacksun org>
Date: Tue, 7 Aug 2007 16:33:22 -0400 (EDT)
Can someone, anyone, please explain to me why blocking TCP 53 is considered such a security enhancement? It's a token gesture and does nothing to really help improve security. It does, however, cause problems.This has been a pain for me for years. I have tried to reason with security people about this and, while they don't dispute my reasoning, they always end up saying that it is the "standard" practice and that, lacking any evidence of what it might be breaking, it will continue to be blocked. And I don't mean small companies, either. One of the biggest issues I have is with one of the countries largest government funded research labs.
You have no way of knowing why a client might want or need to contact you via TCP 53 for DNS- so why would you block them?
The fact is most people, to this day, still believe that TCP 53 is only used for axfr's.
Someone was only too happy to point out to me that he would never create a record larger than 512 bytes so why should they allow TCP queries? The answer is simple- because they are supposed to be allowed. By disallowing them you are breaking the agreed upon rules for the protocol. Before long it becomes impossible to implement new features because you can't be sure if someone else hasn't broken something intentionally.
If you don't like the rules- then change the damned protocol. Stop just doing whatever you want and then complaining when other people disagree with you.
-Don
Current thread:
- Re: large organization nameservers sending icmp packets to dns servers., (continued)
- Re: large organization nameservers sending icmp packets to dns servers. John L (Aug 06)
- Re: large organization nameservers sending icmp packets to dns servers. Patrick W. Gilmore (Aug 06)
- Re: large organization nameservers sending icmp packets to dns servers. Chris L. Morrow (Aug 06)
- Re: large organization nameservers sending icmp packets to dns servers. Peter Dambier (Aug 06)
- Re: large organization nameservers sending icmp packets to dns servers. Joe Abley (Aug 06)
- RE: large organization nameservers sending icmp packets to dns servers. Jason J. W. Williams (Aug 07)
- RE: large organization nameservers sending icmp packets to dns servers. Donald Stahl (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Patrick W. Gilmore (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Joe Abley (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Kevin Oberman (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Donald Stahl (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Kevin Oberman (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Andrew Sullivan (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Douglas Otis (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Paul Vixie (Aug 08)
- Re: large organization nameservers sending icmp packets to dns servers. Douglas Otis (Aug 08)
- Re: large organization nameservers sending icmp packets to dns servers. Paul Vixie (Aug 08)
- Re: large organization nameservers sending icmp packets to dns servers. Douglas Otis (Aug 09)
- Re: large organization nameservers sending icmp packets to dns servers. Paul Vixie (Aug 09)
- Re: large organization nameservers sending icmp packets to dns servers. Valdis . Kletnieks (Aug 09)
- Re: large organization nameservers sending icmp packets to dns servers. Paul Vixie (Aug 09)