DNS problems to RoadRunner - tcp vs udp

Scott McGrath mcgrath at fas.harvard.edu
Sat Jun 14 15:40:10 CDT 2008


Not to toss flammables onto the pyre. 

BUT there is a large difference from what the RFC's allow and common 
practice.   In our shop TCP is blocked to all but authoratative 
secondaries as TCP is sinply too easy to DoS a DNS server with.   We 
simply don't need a few thousand drones clogging the TCP connection 
table all trying to do zone transfers ( yes it happened and logs show 
drones are still trying )

For a long time there has been a effective practice of

UDP == resolution requests
TCP == zone transfers

It would have been better if a separate port had been defined for zone 
transfers as that would obviate the need for a application layer gateway 
to allow TCP transfers so that zone transfers can be blocked and 
resolution requests allowed for now all TCP is blocked.

Now just because someone has a bright idea they drag out a 20 y/o RFC 
and say SEE, SEE you must allow this because the RFC says so all the 
while ignoring the 20 years of operational discipline
that RFC was written when the internet was like the quad at college 
everyone knew one and other and we were all working towards a common 
goal of interoperability and open systems ,   These days the net is more 
like a seedy waterfront after midnight where criminal gangs are waiting 
to ambush the unwary and consequently networks need to be operated from 
that standpoint.

At the University networking level it is extremely difficult as we need 
to maintain a open network as much as possible but protect our 
infrastructure services so that they have 5 nines of availability
back in the day a few small hosts would serve DNS nicely and we did  not 
have people trying to take them down and/or infecting local hosts and 
attempting DHCP starvation attacks.   And no we are not at the 5 nines 
level but we are working on it.

 
- Scott


Randy Bush wrote:
>> If my server responded to TCP queries from anyone other than a secondary
>> server, I would be VERY concerned.
>>     
>
> you may want to read the specs
>
> randy
>   





More information about the NANOG mailing list