tcp/udp, clarification please

Bill Manning bmanning at ISI.EDU
Thu Oct 11 15:23:51 UTC 2001 


 Security (actually authentication and integrity) come with the use of
 new RR types. Specifically  SIG/KEY/CERT.  With reasonable salts (128bits
 or larger)  these RRs will push/exceed IPv4 UDP packet size limits.

 Complex RRsets will also push over the limits of IPv4 UDP. This occurs
 in many cases, not the least of which is when many RRs are listed for
 a single lable. (25 A RRs for a ftc.gov, for example)

 Again, this is your delegation and you get to do what you want with it.

 The biggest problem is your assertion that TCP access to the DNS is how
 most hacks to the DNS occur.  I, for one, would be interested in how you
 reached this conclusion and any data you have to back this belief. Most
 of the attack vectors to the DNS, that I am aware of, are exploitable 
 via UDP as well as TCP.  

 It is true that some haqers gain "intel" on the scope of the intended
 target by use of zone transfers.  If this is the main perceived threat,
 it is easier to restrict transfers via the "allow-transfer" clause that
 kill TCP access, at least for most server admins.


% how would having no TCP access to my DNS servers prevent adoption of better
% security tools? my zone transfers would still be going over TCP because i
% have a firewall/DMZ setup, and behind the firewall TCP is allowed to
% transfer between the boxes, but to the outside world only UDP is accessable,
% i fail to see how if i remove the protocol that is required to do anything
% but very simple level services, just minimal host resolution is all that is
% necessary for the outside world to be able to access, the internal LAN and
% the DMZ still would have access to all the normal functionality of BIND. All
% i am asking is name resolution possible with UDP, and if that is all i need
% to let the rest of the world use these servers for, and by not even allowing
% requests on the TCP protocol to get past the firewall, that eliminates just
% about all of the hacks in the book from my understanding.
% 
% "Bill Manning" <bmanning at ISI.EDU> wrote in message
% news:9q23h6$nrh at pub3.rc.vix.com...
% >
% >
% > Some subset of DNS would work. Others would fail in odd ways.
% > You can not presume that even with "minimal" setups that client
% > requests won't exceed UDP packet size. Cutting off TCP will
% > prevent your organization from adopting better security tools,
% > tools that are known to provide integrity checks on the data.
% > Even things which may not be an improvement but are adopted
% > "just because", things like Active Directory & GSSTSIG from
% > a popular vendor push DNS into TCP because of the size of the
% > response.
% >
% > Simple UDP is much more prone to data integrity corruption than
% > data that uses TCP.  But your zones, your choice. Your support
% > costs (opex) will go up if you cut TCP as you will have to deal
% > with odd failures The apparent robustness of your sites will
% > decrease for both internal and external clients.
% >
% >
% > %
% > % So someone couldnt do a zone transfer if i left only UDP open and DNS
% would
% > % still work, so this would cut down the functionality that the rest of
% the
% > % world does not need correct? the world needs only the resolving portion,
% my
% > % setup is very simple and minimal, the zone transfers happen behind the
% > % firewall ect ect
% > %
% > %
% > % "Bill Manning" <bmanning at ISI.EDU> wrote in message
% > % news:9q1tp8$mrk at pub3.rc.vix.com...
% > % >
% > % > %
% > % > % basically its my understanding that using BIND with only UDP can be
% a
% > % bit
% > % > % more secure, my question is this, are there any types of OS's that
% > % require
% > % > % the resolving server to use TCP? or are there any other downsides to
% not
% > % > % letting TCP traffic through the firewall.
% > % > %
% > % > %     Reguards,
% > % > %     Eoin Miller
% > % > %
% > % >
% > % > neither is more secure than the other.  UDP works for small packets
% and
% > % > simple queries.  Complex RRsets and big packets (zone transfers,
% dynamic
% > % > updates, SIG/CERT RRs, A6 chaining, multiple AAAAs etc.) exceed UDP
% > % > packet limits and will "failover" to using TCP.
% > % >
% > % > --
% > % > --bill
% > % >
% > % >
% > %
% > %
% > %
% >
% >
% > --
% > --bill
% >
% >
% 
% 
% 


-- 
--bill

More information about the bind-users mailing list