large organization nameservers sending icmp packets to dns servers.
David Conrad
drc at virtualized.org
Tue Aug 7 22:40:29 UTC 2007
Hi,
On Aug 7, 2007, at 1:33 PM, Donald Stahl wrote:
> Can someone, anyone, please explain to me why blocking TCP 53 is
> considered such a security enhancement? It's a token gesture and
> does nothing to really help improve security. It does, however,
> cause problems.
It has been argued that it is a bit harder to download/bootstrap
shell code/arbitrary root kit through the latest BIND vulnerability
(or whatever) via a 512 UDP packet than it is through TCP.
> Someone was only too happy to point out to me that he would never
> create a record larger than 512 bytes so why should they allow TCP
> queries? The answer is simple- because they are supposed to be
> allowed.
Yep. However, as the always amusing Dr. Bernstein points out, if you
don't care about zone transfer, DNS-over-TCP is an optional part of
the standard (per RFC 1123).
> Before long it becomes impossible to implement new features because
> you can't be sure if someone else hasn't broken something
> intentionally.
Yep. And then they scream at you when you tickle their brokenness.
It sucks.
Rgds,
-drc
P.S. Note that I think blocking TCP/53 is really stupid.
More information about the NANOG
mailing list