The old chestnut - is TCP necessary?
Mark Andrews
Mark_Andrews at isc.org
Mon Sep 27 23:06:30 UTC 2004
> On Thu, 16 Sep 2004, Marc Thach Xuan Ky wrote:
> > I have a friend 8^) who wants to allow TCP DNS through the firewall. The
> > firewall people are not keen to do this. Telling them that "the
> > firewall is broken" unfortunately does not sway them. My friend needs
> > examples of real Internet domain lookups that truncate and require TCP.
> > Does anybody out there know of any?
>
> more and more each day... EDNS, zone zfers... all your firewall friends
> need is the length of a UDP datagram (512 bytes), dig, and a few minutes
> on an Internet connection.
Well the length of a UDP datagram is now negotiable (see
EDNS). Firewalls often need to be taught how to deal with
this. Cisco's PIX firewall has knobs that need to be
twiddled. I presume the other vendors have similar knobs.
> that said, i've seen plenty of sites operate w/o TCP port 53 opened on
> their firewalls. usually branch/SOHO offices. ;)
>
> you could ask for justificaiton. ask the security folks to point out a
> BIND exploit that compromised a name server (or associated organization)
> via TCP port 53 only. that is, an attack that did not rely on any other
> underlying protocol, configuration, etc. anonamolies. if they can not
> point it out, then they are just following typical "least privilege"
> security mantra.. if they do point out such an attack, then get the
> justification in writing. if blocking TCP port 53 breaks anything for
> you down the road, everyone will know why the choice was made.
Well BIND has had both UDP only and TCP only problems in
the past. The correct way to deal with this is to keep
current and be on a list where security announcements will
be posted.
As for the OP, his firewall people wanted to stop the client
side making TCP based queries. They obviously don't have any
clue about how the DNS works.
The usual arguement is over whether to allow a authoritative
only server to answer TCP queries. Despite it being wrong
you can sometimes get away with it provided the answers to
all possible queries will fit in a 512 octets.
This case they wanted to prevent the server *making* TCP queries
on behalf of the clients. I've yet anyone argue that this is
right. All the stub resolvers will fall back to TCP if it is
indicated. All modern nameservers will fall back to TCP if the
authoritative server says to (BIND 4 didn't by it isn't modern).
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list