large organization nameservers sending icmp packets to dns servers.

Kevin Oberman oberman at es.net
Tue Aug 7 20:50:33 UTC 2007


> Date: Tue, 7 Aug 2007 16:33:22 -0400 (EDT)
> From: Donald Stahl <don at calis.blacksun.org>
> 
> > This has been a pain for me for years. I have tried to reason with
> > security people about this and, while they don't dispute my reasoning,
> > they always end up saying that it is the "standard" practice and that,
> > lacking any evidence of what it might be breaking, it will continue to
> > be blocked. And I don't mean small companies, either. One of the biggest
> > issues I have is with one of the countries largest government funded
> > research labs.
> Can someone, anyone, please explain to me why blocking TCP 53 is 
> considered such a security enhancement? It's a token gesture and does 
> nothing to really help improve security. It does, however, cause problems.
> 
> You have no way of knowing why a client might want or need to contact you 
> via TCP 53 for DNS- so why would you block them?
> 
> The fact is most people, to this day, still believe that TCP 53 is only 
> used for axfr's.
> 
> Someone was only too happy to point out to me that he would never create 
> a record larger than 512 bytes so why should they allow TCP queries? The 
> answer is simple- because they are supposed to be allowed. By disallowing 
> them you are breaking the agreed upon rules for the protocol. Before 
> long it becomes impossible to implement new features because you can't be 
> sure if someone else hasn't broken something intentionally.
> 
> If you don't like the rules- then change the damned protocol. Stop just 
> doing whatever you want and then complaining when other people disagree 
> with you.

Don,

You are preaching to the choir...at least in the group. But I have found
that security types (I mean those with a police/physical security
background) don't must care for these arguments. It usually comes down
to "lock and bar every door unless you can prove to them that there is a
need to have the door unlocked".

Standards and such mean nothing to them. Only evidence that something
is broken that has to work will convince them to change something. It's
the tcp/53 is evil meme.
-- 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman at es.net			Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 224 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20070807/0a668965/attachment.sig>


More information about the NANOG mailing list