DNS problems to RoadRunner - tcp vs udp
Jon.Kibler at aset.com
Fri Jun 13 18:51:58 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Kevin Oberman wrote:
> If it does not, you should be very concerned. The RFCs (several, but
> I'll point first to good old 1122) allow either TCP or UDP to be used
> for any operation that will fit in a 512 byte transfer. (EDNS0 allows
> larger UDP.)
> TCP is to be used any time a truncated bit is set in a replay. If you
> ever send a large reply that won't fit in 512 bytes, the request will
> be repeated using a TCP connection. If you ignore these, your DNS is
> broken. It is even allowed under the spec to start out with TCP, as AXFR
> queries typically do.
> Yes, I realize that this is fairly common and it does not break much,
> but, should DNSSEC catch on, you might just find the breakage a bit
> worse than it is today and there is no reason to have even the slight
> breakage that is there now.
Okay, I stand corrected. I was approaching this from a security
perspective only, and apparently based on incorrect information.
But this leaves me with a couple of questions:
Various hardening documents for Cisco routers specify the best practices
are to only allow 53/tcp connections to/from secondary name servers.
Plus, from all I can tell, Cisco's 'ip inspect dns' CBAC appears to only
handle UDP data connections and anything TCP would be denied. From what
you are saying, the hardening recommendations are wrong and that CBAC
may break some DNS responses. Is this correct?
Also, other than "That's what the RFCs call for," why use TCP for data
exchange instead of larger UDP packets?
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC USA
My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.
More information about the NANOG