nanog mailing list archives
Re: large organization nameservers sending icmp packets to dns servers.
From: David Conrad <drc () virtualized org>
Date: Tue, 7 Aug 2007 15:40:29 -0700
Hi, On Aug 7, 2007, at 1:33 PM, Donald Stahl wrote:
Can someone, anyone, please explain to me why blocking TCP 53 is considered such a security enhancement? It's a token gesture and does nothing to really help improve security. It does, however, cause problems.
It has been argued that it is a bit harder to download/bootstrap shell code/arbitrary root kit through the latest BIND vulnerability (or whatever) via a 512 UDP packet than it is through TCP.
Someone was only too happy to point out to me that he would never create a record larger than 512 bytes so why should they allow TCP queries? The answer is simple- because they are supposed to be allowed.
Yep. However, as the always amusing Dr. Bernstein points out, if you don't care about zone transfer, DNS-over-TCP is an optional part of the standard (per RFC 1123).
Before long it becomes impossible to implement new features because you can't be sure if someone else hasn't broken something intentionally.
Yep. And then they scream at you when you tickle their brokenness. It sucks.
Rgds, -drc P.S. Note that I think blocking TCP/53 is really stupid.
Current thread:
- Re: large organization nameservers sending icmp packets to dns servers., (continued)
- Re: large organization nameservers sending icmp packets to dns servers. Paul Vixie (Aug 08)
- Re: large organization nameservers sending icmp packets to dns servers. Douglas Otis (Aug 09)
- Re: large organization nameservers sending icmp packets to dns servers. Paul Vixie (Aug 09)
- Re: large organization nameservers sending icmp packets to dns servers. Valdis . Kletnieks (Aug 09)
- Re: large organization nameservers sending icmp packets to dns servers. Paul Vixie (Aug 09)
- Re: large organization nameservers sending icmp packets to dns servers. Valdis . Kletnieks (Aug 10)
- Re: large organization nameservers sending icmp packets to dns servers. Douglas Otis (Aug 10)
- Re: large organization nameservers sending icmp packets to dns servers. Paul Vixie (Aug 10)
- Re: large organization nameservers sending icmp packets to dns servers. Roland Dobbins (Aug 10)
- Re: large organization nameservers sending icmp packets to dns servers. John Kristoff (Aug 10)
- Re: large organization nameservers sending icmp packets to dns servers. David Conrad (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Patrick W. Gilmore (Aug 07)
- RE: large organization nameservers sending icmp packets to dns servers. David Schwartz (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Patrick W. Gilmore (Aug 08)
- Re: large organization nameservers sending icmp packets to dns servers. Valdis . Kletnieks (Aug 08)
- RE: large organization nameservers sending icmp packets to dns servers. Jason J. W. Williams (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Kevin Oberman (Aug 08)
- Industry best practices (was Re: large organization nameservers sending icmp packets to dns servers) Sean Donelan (Aug 08)
- Re: Industry best practices (was Re: large organization nameservers sending icmp packets to dns servers) Doug Barton (Aug 09)
- Re: Industry best practices (was Re: large organization nameservers Paul Vixie (Aug 09)
- Re: Industry best practices (was Re: large organization nameservers Sean Donelan (Aug 11)