The old chestnut - is TCP necessary?
Mike Hoskins
mike at adept.org
Mon Sep 27 22:01:50 UTC 2004
On Thu, 16 Sep 2004, Marc Thach Xuan Ky wrote:
> I have a friend 8^) who wants to allow TCP DNS through the firewall. The
> firewall people are not keen to do this. Telling them that "the
> firewall is broken" unfortunately does not sway them. My friend needs
> examples of real Internet domain lookups that truncate and require TCP.
> Does anybody out there know of any?
more and more each day... EDNS, zone zfers... all your firewall friends
need is the length of a UDP datagram (512 bytes), dig, and a few minutes
on an Internet connection.
that said, i've seen plenty of sites operate w/o TCP port 53 opened on
their firewalls. usually branch/SOHO offices. ;)
you could ask for justificaiton. ask the security folks to point out a
BIND exploit that compromised a name server (or associated organization)
via TCP port 53 only. that is, an attack that did not rely on any other
underlying protocol, configuration, etc. anonamolies. if they can not
point it out, then they are just following typical "least privilege"
security mantra.. if they do point out such an attack, then get the
justification in writing. if blocking TCP port 53 breaks anything for
you down the road, everyone will know why the choice was made.
--
"Information Warfare? Given the state of the industry, what we need is
Information Welfare." --Richard A Steenbergen
More information about the bind-users
mailing list