tcp limitations

[Simon Waters]

Guy Pazi wrote:
> 
> I am interested in blocking udp traffic, including dns udp queries and
> replies, using a firewall.

Sounds sensible, amazes me that some firewalls ship allowing
all UDP packets through!

> My question is, what bind versions allow tcp queries not preceded by
> truncated udp queries (actually, not preceded by udp queries at all).

AFAIK all BIND versions do zone transfer with TCP only,
otherwise I understood the request was sent, and if the
response exceeds a certain side (version dependent) the
response is truncated. Different DNS servers handle
truncating differently, some truncate immediately, some at
the last complete record. 

DJB discussed this on his web site (http://cr.yp.to) as his
DNS program works slightly differently to BIND.

The situation is changing in the general case, as BIND
packets are getting larger due to protocol changes.

> I've experienced some problems with that but couldn't really put my finger
> on the whens and whats.

Depends what your trying to do to filter queries. 

Whilst some firewalls have stateful handling of DNS queries
as a prepared "services" you can enable, if you lack this
I'd stick to the simple - allow outgoing TCP and UDP to port
53 on your chosen nameservers. Obviously what you allow
these queries from (all clients, or just web proxy servers
and mail servers) or the more complicated case where you run
your own nameservers, will depend on your business
requirements and security needs.

-- 
Simon Waters
Are you using the Internet to best effect ?
www.eighth-layer.com
Tel: +44(0)1395 232769      ICQ: 116952768
Moderated discussion of teleworking issues at
news:uk.business.telework