Date: Mon, 27 Jul 1998 08:44:17 -0400 (EDT) From: Robert Watson <robert@cyrus.watson.org> To: sthaug@nethelp.no Cc: jkb@best.com, netadmin@fastnet.co.uk, security@FreeBSD.ORG Subject: Re: ipfw rules to allow DNS activity Message-ID: <Pine.BSF.3.96.980727083742.7733E-100000@fledge.watson.org> In-Reply-To: <27146.901534320@verdi.nethelp.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 27 Jul 1998 sthaug@nethelp.no wrote: > > DNS uses UDP for resolver queries (most of the time). > > DNS used TCP for zone transfers (always). > > > > If you don't want to allow zone transfer from that computer, don't > > worry about allowing TCP as long as your DNS response will never exceed > > 512 bytes. > > (yes I know one can also use xfrnets to stop unauthorized zone > > transfers but this is ipfw talk *grin*) > > Use the tools appropriate for the job. In this case, it's much better to > use BIND 8, which allows you fine grained control over zone transfers. > > It's not a good idea to block TCP port 53, because you may get TCP queries > even if you don't have answers exceeding 512 bytes. I understand from some of the people working on DNSsec at TIS that there are some resolvers out there that *only* use TCP. I also understand that they are very rare. The real issue, though, is the truncation issue. With the increasing use of multiple A and CNAME records for web load distribution (etc), this limit is getting pushed. Also, with the advent of DNSsec and signatures/certs/etc passing through DNS, I think we can expect to see more large DNS payloads going around. I think there was a draft out at one point on larger DNS packet size support -- no doubt someone will bump up their UDP packet maximum at some point and we'll discver lots of buffer overflows in everyone's DNS support? :) Robert N Watson Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980727083742.7733E-100000>