nanog mailing list archives
Re: large organization nameservers sending icmp packets to dns servers.
From: Adrian Chadd <adrian () creative net au>
Date: Thu, 9 Aug 2007 00:10:23 +0800
On Wed, Aug 08, 2007, Jamie Bowden wrote:
Forgive my broken formatting, but LookOut, it's Microsoft! Is what we use, period. I have a question related to what you posted below, and it's a pretty simple one: How is answering a query on TCP/53 any MORE dangerous than answering it on UDP/53? Really. I'd like to know how one of these security nitwits justifies it. It's the SAME piece of software answering the query either way.
I'd hazard a guess and say something like "TCP state complexity > UDP state complexity" and that possibly leading to a potential DoS. But then, there's also stuff like stateful firewalls which can more aggressively timeout UDP flows (and not break DNS ones, since they're not exactly long-living!) but die under large TCP loads. And TCP takes CPU to setup/teardown, and requires client-side state. Adrian
Current thread:
- Industry best practices (was Re: large organization nameservers sending icmp packets to dns servers), (continued)
- Industry best practices (was Re: large organization nameservers sending icmp packets to dns servers) Sean Donelan (Aug 08)
- Re: Industry best practices (was Re: large organization nameservers sending icmp packets to dns servers) Doug Barton (Aug 09)
- Re: Industry best practices (was Re: large organization nameservers Paul Vixie (Aug 09)
- Re: Industry best practices (was Re: large organization nameservers Sean Donelan (Aug 11)
- Re: large organization nameservers sending icmp packets to dns servers. Valdis . Kletnieks (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Patrick W. Gilmore (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Donald Stahl (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Steve Gibbard (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Andrew Sullivan (Aug 07)
- RE: large organization nameservers sending icmp packets to dns servers. Jamie Bowden (Aug 08)
- Re: large organization nameservers sending icmp packets to dns servers. Adrian Chadd (Aug 08)
- Re: large organization nameservers sending icmp packets to dns servers. Joe Abley (Aug 08)
- Re: large organization nameservers sending icmp packets to dns servers. David Conrad (Aug 08)
- Re: large organization nameservers sending icmp packets to dns servers. Doug Barton (Aug 09)
- Re: large organization nameservers sending icmp packets to dns servers. Matthew Black (Aug 10)
- Re: large organization nameservers sending icmp packets to dns servers. Chris L. Morrow (Aug 07)
- RE: large organization nameservers sending icmp packets to dns servers. David Schwartz (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Valdis . Kletnieks (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Tony Finch (Aug 08)
- RE: large organization nameservers sending icmp packets to dns servers. william(at)elan.net (Aug 08)
- Re: large organization nameservers sending icmp packets to dns servers. Patrick W. Gilmore (Aug 08)