large organization nameservers sending icmp packets to dns servers.

David Conrad drc at
Tue Aug 7 22:40:29 UTC 2007


On Aug 7, 2007, at 1:33 PM, Donald Stahl wrote:
> Can someone, anyone, please explain to me why blocking TCP 53 is  
> considered such a security enhancement? It's a token gesture and  
> does nothing to really help improve security. It does, however,  
> cause problems.

It has been argued that it is a bit harder to download/bootstrap  
shell code/arbitrary root kit through the latest BIND vulnerability  
(or whatever) via a 512 UDP packet than it is through TCP.

> Someone was only too happy to point out to me that he would never  
> create a record larger than 512 bytes so why should they allow TCP  
> queries? The answer is simple- because they are supposed to be  
> allowed.

Yep.  However, as the always amusing Dr. Bernstein points out, if you  
don't care about zone transfer, DNS-over-TCP is an optional part of  
the standard (per RFC 1123).

> Before long it becomes impossible to implement new features because  
> you can't be sure if someone else hasn't broken something  
> intentionally.

Yep.  And then they scream at you when you tickle their brokenness.   
It sucks.


P.S. Note that I think blocking TCP/53 is really stupid.

More information about the NANOG mailing list