UDP vs TCP

[Brad Knowles]

At 2:56 AM +0000 3/15/01, Michael S Scheidell wrote:

>  Brad: I assist in a Distributed Intrusion Detection system, and best I can
>  tell, the only tcp port 53's I get are from hackers trying to find out
>  more about our servers (and some old versions of the f5.com 3-dns server)
>  Can you give me examples of when a normal 'query' would use tcp port53?

	Any time the previous UDP query resulted in a truncation, the 
query may be restarted by the nameserver with TCP, or the application 
may explicitly request that a "virtual circuit" be used, in order to 
get all the information desired/necessary.  In these modern days of 
humongous IPv6 addresses and TSIG signed zones, this is becoming far, 
far more likely than it ever used to be in the past, and this 
probability will only increase over time.

--
Brad Knowles, <brad.knowles at skynet.be>

#!/usr/bin/perl -w
# 531-byte qrpff-fast, Keith Winstein and Marc Horowitz <sipb-iap-dvd at mit.edu>
# MPEG 2 PS VOB file on stdin -> descrambled output on stdout
# arguments: title key bytes in least to most-significant order
# Usage:
# qrpff 153 2 8 105 225 /mnt/dvd/VOB_FILE_NAME | extract_mpeg2 | mpeg2_dec -
$_='while(read+STDIN,$_,2048){$a=29;$b=73;$c=142;$t=255;@t=map{$_%16or$t^=$c^=(
$m=(11,10,116,100,11,122,20,100)[$_/16%8])&110;$t^=(72, at z=(64,72,$a^=12*($_%16
-2?0:$m&17)),$b^=$_%64?12:0, at z)[$_%8]}(16..271);if((@a=unx"C*",$_)[20]&48){$h
=5;$_=unxb24,join"", at b=map{xB8,unxb8,chr($_^$a[--$h+84])}@ARGV;s/...$/1$&/;$
d=unxV,xb25,$_;$e=256|(ord$b[4])<<9|ord$b[3];$d=$d>>8^($f=$t&($d>>12^$d>>4^
$d^$d/8))<<17,$e=$e>>8^($t&($g=($q=$e>>14&7^$e)^$q*8^$q<<6))<<9,$_=$t[$_]^
(($h>>=8)+=$f+(~$g&$t))for at a[128..$#a]}print+x"C*", at a}';s/x/pack+/g;eval