The old chestnut - is TCP necessary?

Mark Andrews Mark_Andrews at isc.org
Mon Sep 27 23:06:30 UTC 2004 

> On Thu, 16 Sep 2004, Marc Thach Xuan Ky wrote:
> > I have a friend 8^) who wants to allow TCP DNS through the firewall. The
> > firewall people are not keen to do this.  Telling them that "the
> > firewall is broken" unfortunately does not sway them.  My friend needs
> > examples of real Internet domain lookups that truncate and require TCP.
> > Does anybody out there know of any?
> 
> more and more each day...  EDNS, zone zfers...  all your firewall friends
> need is the length of a UDP datagram (512 bytes), dig, and a few minutes
> on an Internet connection.

	Well the length of a UDP datagram is now negotiable (see
	EDNS).  Firewalls often need to be taught how to deal with
	this.  Cisco's PIX firewall has knobs that need to be
	twiddled.  I presume the other vendors have similar knobs.
 
> that said, i've seen plenty of sites operate w/o TCP port 53 opened on
> their firewalls.  usually branch/SOHO offices.  ;)
> 
> you could ask for justificaiton.  ask the security folks to point out a
> BIND exploit that compromised a name server (or associated organization)
> via TCP port 53 only.  that is, an attack that did not rely on any other
> underlying protocol, configuration, etc. anonamolies.  if they can not
> point it out, then they are just following typical "least privilege"
> security mantra..  if they do point out such an attack, then get the
> justification in writing.  if blocking TCP port 53 breaks anything for
> you down the road, everyone will know why the choice was made.

	Well BIND has had both UDP only and TCP only problems in
	the past.  The correct way to deal with this is to keep
	current and be on a list where security announcements will
	be posted.

	As for the OP, his firewall people wanted to stop the client
	side making TCP based queries.  They obviously don't have any
	clue about how the DNS works.  

	The usual arguement is over whether to allow a authoritative
	only server to answer TCP queries.  Despite it being wrong
	you can sometimes get away with it provided the answers to
	all possible queries will fit in a 512 octets.

	This case they wanted to prevent the server *making* TCP queries
	on behalf of the clients.  I've yet anyone argue that this is
	right.  All the stub resolvers will fall back to TCP if it is
	indicated.  All modern nameservers will fall back to TCP if the
	authoritative server says to (BIND 4 didn't by it isn't modern).

	Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list