Restricting TCP / 53 on the firewall level

[Barry Margolin]

In article <a7o57u$lrp at pub3.rc.vix.com>, Jim Reid  <jim at rfc1035.com> wrote:
>>>>>> "Barry" == Barry Margolin <barmar at genuity.net> writes:
>
>    >>  Well I cannot see any legitimate reasons to block DNS service
>    >> over TCP. You cannot expect the rest of the internet to comply
>    >> with your abitrary and unilateral action like this. [What do
>    >> you hope to achieve by blocking TCP queries? What purpose will
>    >> this serve?] For one thing, you cannot be sure that truncation
>    >> -- => TCP retries -- will never happen.
>
>    Barry> If you control the content of the domains on the server,
>    Barry> sure you can.  You can make sure that no name has so many
>    Barry> records that it will require such a large response.
>
>In theory, perhaps. In reality no. Even if no name "has so many
>records", let's not overlook how much data gets stuffed into the
>Authority and even the Additional Sections of the replies. Face it,
>most people don't have a clue how much data their server sends out in
>an answer.

I think that truncation is not supposed to be set if the overflow is due to
those sections.  The truncated flag is only set if the Answer section
overflows.

>    Barry> Also, even if this affects DNS, it will only be the
>    Barry> connection to the local caching server, not the connections
>    Barry> from that server to the remote authoritative servers.
>
>How could you possibly know that the original poster even has separated
>caching-only and authoritative servers and that all stub resolvers only
>point at the caching-only servers? 

I don't know that.  I'm assuming that the firewall is between the servers
and the outside world, not between the client machines and the servers.

>				    Even then, what's to stop the rest
>of the world from telling their lookup tools to use TCP to query the
>OP's TCP-blocked servers?

They shouldn't do that in the first place, so who cares if their queries
occasionally fail?  Since they're so interested in security, I hope they've
configured allow-query and allow-recursion to prevent the rest of the world
from abusing them like that in the first place.  But the security guys are
most likely not knowledgeable enough about DNS to make such a specific
request.

>    Barry> Face it, there are an enormous number of sites that have
>    Barry> firewalls blocking TCP port 53.  It almost never causes
>    Barry> problems, because use of TCP for anything other than zone
>    Barry> transfers is extremely rare.  Yes, it's a violation of the
>    Barry> letter of the protocol, but in practice it has little
>    Barry> impact.
>
>That may be your experience. But it still doesn't make the practice of
>blocking TCP queries right or sensible.

True interoperability means complying with de facto standards, not just
official standards.  Any application that depends critically on TCP DNS to
remote servers is likely not fully interoperable, because so many sites
firewall their DNS servers in this way.  Reality bites.

I'm not actively promoting blocking TCP DNS, just letting him know that
it's unlikely anything horrible will result, because many others get away
with it as well.  Sometimes when the security guys are breathing down your
neck, it's OK to compromise rather than fight them.  Save your effort for
things that are really important.

-- 
Barry Margolin, barmar at genuity.net
Genuity, Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.