tcp/udp, clarification please
Brian Salomaki
brian at gambitdesign.com
Thu Oct 11 19:58:00 UTC 2001
TCP traffice *needs* to go through the firewall to the internet, not just to
the other nameserver. If a client/resolver anywhere on the internet queries
your server, and gets a truncated response, then it will retry the query
using TCP. If TCP isn't enabled, then that client will not be able to
properly resolve names hosted by your server. In practice, if you're doing
very small-scale DNS, then you may not run into this issue, but if you are
intent on blocking TCP traffic, you're not going to find people particularly
eager to help you if you ever have problems. Our stance is that TCP is
enabled, period. There's no good reason to disable it, but there are many
good reasons to leave it enabled. The most we can do is tell you to enable
TCP, and we've already done that more times than we probably should have. If
you don't enable it, then I suppose that's your problem; we're not going to
break into your firewall and try to open up TCP traffic on port 53.
On Thursday 11 October 2001 11:43 am, Eoin Miller wrote:
> brad... the DNS servers can talk to each other using TCP no problem, *ONLY*
> the rest of the world is blocked from using anything other than UDP, the
> DNS servers can use TSIG no problem, TCP would ONLY INCOMING TCP requests
> would be blocked at the firewall, on the DMZ the TCP traffic would flow
> freely back and forth between NS1 and NS2.
>
>
> "Brad Knowles" <brad.knowles at skynet.be> wrote in message
> news:9q4d61$6mg at pub3.rc.vix.com...
>
> > At 10:04 AM -0400 2001/10/11, Eoin Miller wrote:
> > > how would having no TCP access to my DNS servers prevent adoption of
>
> better
>
> > > security tools?
> >
> > Because advanced DNS security measures like TSIG and DNSSEC
> > make the packets so large that they are almost certainly guaranteed
> > to be too big to fit into a single UDP packet?
> >
> > > my zone transfers would still be going over TCP
>
> because i
>
> > > have a firewall/DMZ setup, and behind the firewall TCP is allowed to
> > > transfer between the boxes, but to the outside world only UDP is
>
> accessable,
>
> > This is fundamentally the wrong way to do it. Allow both TCP
> > and UDP through to your nameserver, and then use the mechanisms built
> > into the nameserver software (e.g., BIND) to restrict who is/is not
> > allowed to perform a zone transfer.
> >
> >
> > If you choose to configure your nameserver in any other
> > fashion, you're welcome to support the thing entirely and completely
> > on your own, but please don't ask anyone else in the world for any
> > help.
> >
> >
> > And once again, I must ask you to stop lying about your
> > return e-mail address, and causing e-mail replies to be sent back to
> > the US Federal Trade Commission. If anything, by this action, you
> > are as bad as (or worse) a criminal than all the spammers out there.
> >
> > If you continue to participate in this illegal activity, then
> > I will be forced to contact the appropriate people at RCN and begin
> > proceedings to have your account terminated.
> >
> > --
> > Brad Knowles, <brad.knowles at skynet.be>
> >
> > H4sICIFgXzsCA2RtYS1zaWcAPVHLbsMwDDvXX0H0kkvbfxiwVw8FCmzAzqqj1F4dy7CdBfn7
> > Kc6wmyGRFEnvvxiWQoCvqI7RSWTcfGXQNqCUAnfIU+AT8OZ/GCNjRVlH0bKpguJkxiITZqes
> > MxwpSucyDJzXxQEUe/ihgXqJXUXwD9ajB6NHonLmNrUSK9nacHQnH097szO74xFXqtlbT3il
> > wMsBz5cnfCR5cEmci0Rj9u/jqBbPeES1I4PeFBXPUIT1XDSOuutFXylzrQvGyboWstCoQZyP
> > dxX4dLx0eauFe1x9puhoi0Ao1omEJo+BZ6XLVNaVpWiKekxN0VK2VMpmAy+Bk7ZV4SO+p1L/
> > uErNRS/qH2iFU+iNOtbcmVt9N16lfF7tLv9FXNj8AiyNcOi1AQAA
--
Brian Salomaki
Gambit Design Internet Services
110 E. State St., Suite 18, Kennett Square, PA 19348
DNSbox: http://gambitdesign.com
More information about the bind-users
mailing list