The old chestnut - is TCP necessary?

[Marc Thach Xuan Ky]

Thanks to all who took time on this one.  The cold fact of the matter is
that in many corporates the security or firewall people have the last
say, and they do not need to justify themselves.  Rather it is those who
wish to challenge or change those security policies who need to show a
demonstrable business benefit.  It seems that in the case of TCP DNS
queries for Internet hosts that there is none, and that point has now
been conceded and the firewalls in question will remain closed to TCP
53.
rgds
Marc TXK


Mike Hoskins wrote:
> 
> On Thu, 16 Sep 2004, Marc Thach Xuan Ky wrote:
> > I have a friend 8^) who wants to allow TCP DNS through the firewall. The
> > firewall people are not keen to do this.  Telling them that "the
> > firewall is broken" unfortunately does not sway them.  My friend needs
> > examples of real Internet domain lookups that truncate and require TCP.
> > Does anybody out there know of any?
> 
> more and more each day...  EDNS, zone zfers...  all your firewall friends
> need is the length of a UDP datagram (512 bytes), dig, and a few minutes
> on an Internet connection.
> 
> that said, i've seen plenty of sites operate w/o TCP port 53 opened on
> their firewalls.  usually branch/SOHO offices.  ;)
> 
> you could ask for justificaiton.  ask the security folks to point out a
> BIND exploit that compromised a name server (or associated organization)
> via TCP port 53 only.  that is, an attack that did not rely on any other
> underlying protocol, configuration, etc. anonamolies.  if they can not
> point it out, then they are just following typical "least privilege"
> security mantra..  if they do point out such an attack, then get the
> justification in writing.  if blocking TCP port 53 breaks anything for
> you down the road, everyone will know why the choice was made.
> 
> --
>  "Information Warfare? Given the state of the industry, what we need is
>   Information Welfare."  --Richard A Steenbergen