large organization nameservers sending icmp packets to dns servers.

Joe Abley jabley at ca.afilias.info
Wed Aug 8 16:15:44 UTC 2007


On 8-Aug-2007, at 11:59, Jamie Bowden wrote:

> I have a question related to what you posted below, and it's a pretty
> simple one:
>
> How is answering a query on TCP/53 any MORE dangerous than  
> answering it
> on UDP/53?  Really.  I'd like to know how one of these security  
> nitwits
> justifies it.  It's the SAME piece of software answering the query
> either way.

There are people (I believe; this is a little rumour-laden) who take  
the approach that 53/tcp is actually safer than 53/udp, since the  
handshake makes it easier to believe the query's source address. The  
approach I heard about was to reply to UDP-transport queries with  
some minimal answer set with TC set, and serve a more useful set of  
information over TCP once the re-query arrives.

[I realise that the state involved in handing TCP queries on a busy  
server is non-trivial, and that there are many aspects to this  
approach which deserve raised eyebrows.]

However, my point is that "TCP is more secure than UDP" also has a  
posse.


Joe




More information about the NANOG mailing list