tcp/udp, clarification please

Thu Oct 11 15:17:10 UTC 2001

The problem security-wise occurs when you block TCP packets, and then assume 
that you're completely safe.  However, as people have tried to explain, if 
you do block TCP packets, then your nameserver is in violation of the DNS 
specifications.  BIND will only send out a small amount of data in a UDP 
packet.  If that response is truncated, then the resolver will request again, 
using TCP so that it can receive all of the information.

Bottom line: don't block TCP traffic over port 53.

On Thursday 11 October 2001 10:04 am, Eoin Miller wrote:
> how would having no TCP access to my DNS servers prevent adoption of better
> security tools? my zone transfers would still be going over TCP because i
> have a firewall/DMZ setup, and behind the firewall TCP is allowed to
> transfer between the boxes, but to the outside world only UDP is
> accessable, i fail to see how if i remove the protocol that is required to
> do anything but very simple level services, just minimal host resolution is
> all that is necessary for the outside world to be able to access, the
> internal LAN and the DMZ still would have access to all the normal
> functionality of BIND. All i am asking is name resolution possible with
> UDP, and if that is all i need to let the rest of the world use these
> servers for, and by not even allowing requests on the TCP protocol to get
> past the firewall, that eliminates just about all of the hacks in the book
> from my understanding.
>
> "Bill Manning" <bmanning at ISI.EDU> wrote in message
> news:9q23h6$nrh at pub3.rc.vix.com...
>
> > Some subset of DNS would work. Others would fail in odd ways.
> > You can not presume that even with "minimal" setups that client
> > requests won't exceed UDP packet size. Cutting off TCP will
> > prevent your organization from adopting better security tools,
> > tools that are known to provide integrity checks on the data.
> > Even things which may not be an improvement but are adopted
> > "just because", things like Active Directory & GSSTSIG from
> > a popular vendor push DNS into TCP because of the size of the
> > response.
> >
> > Simple UDP is much more prone to data integrity corruption than
> > data that uses TCP.  But your zones, your choice. Your support
> > costs (opex) will go up if you cut TCP as you will have to deal
> > with odd failures The apparent robustness of your sites will
> > decrease for both internal and external clients.
> >
> >
> > %
> > % So someone couldnt do a zone transfer if i left only UDP open and DNS
>
> would
>
> > % still work, so this would cut down the functionality that the rest of
>
> the
>
> > % world does not need correct? the world needs only the resolving
> > portion,
>
> my
>
> > % setup is very simple and minimal, the zone transfers happen behind the
> > % firewall ect ect
> > %
> > %
> > % "Bill Manning" <bmanning at ISI.EDU> wrote in message
> > % news:9q1tp8$mrk at pub3.rc.vix.com...
> > % >
> > % > %
> > % > % basically its my understanding that using BIND with only UDP can be
>
> a
>
> > % bit
> > % > % more secure, my question is this, are there any types of OS's that
> > % require
> > % > % the resolving server to use TCP? or are there any other downsides
> > to
>
> not
>
> > % > % letting TCP traffic through the firewall.
> > % > %
> > % > %     Reguards,
> > % > %     Eoin Miller
> > % > %
> > % >
> > % > neither is more secure than the other.  UDP works for small packets
>
> and
>
> > % > simple queries.  Complex RRsets and big packets (zone transfers,
>
> dynamic
>
> > % > updates, SIG/CERT RRs, A6 chaining, multiple AAAAs etc.) exceed UDP
> > % > packet limits and will "failover" to using TCP.
> > % >
> > % > --
> > % > --bill
> > % >
> > % >
> > %
> > %
> > %
> >
> >
> > --
> > --bill

-- 
Brian Salomaki
Gambit Design Internet Services
110 E. State St., Suite 18, Kennett Square, PA 19348
DNSbox: http://gambitdesign.com