From owner-freebsd-isp Fri May 1 16:59:58 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA20690 for freebsd-isp-outgoing; Fri, 1 May 1998 16:59:58 -0700 (PDT) (envelope-from owner-freebsd-isp@FreeBSD.ORG) Received: from caladan.tdx.co.uk (caladan.tdx.co.uk [195.188.177.4]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA20683 for ; Fri, 1 May 1998 16:59:55 -0700 (PDT) (envelope-from kpielorz@tdx.co.uk) Received: from tdx.co.uk (lorca-tx.tdx.co.uk [195.188.177.242]) by caladan.tdx.co.uk (8.8.8/8.8.8) with ESMTP id AAA09713 for ; Sat, 2 May 1998 00:59:53 +0100 (BST) (envelope-from kpielorz@tdx.co.uk) Message-ID: <354A61F3.76FB8400@tdx.co.uk> Date: Sat, 02 May 1998 00:59:47 +0100 From: Karl Pielorz Organization: TDX X-Mailer: Mozilla 4.04 [en] (WinNT; I) MIME-Version: 1.0 To: isp@FreeBSD.ORG Subject: Named - Denied TCP connections, comments? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Am I just being very naive here? We block all TCP connections to our name servers - and have done for about the past year... As far as I know - this hasn't caused any ill effects, as DNS will use UDP by default - and only fall back to TCP if UDP fails or if performing a zone transfer, and to be honest if the network is so bad that UDP doesn't make it with the first few tries, TCP appears only to fail more gracefully (i.e. connection could not be established) rather than the 'black hole' time-out of UDP. The only exceptions we allow are our 'up-stream' secondary and tertiary DNS servers. Does anyone have any comments on this? (Comments of the non-flammable variety that is... ;-) This isn't strictly freebsd related I know, but I did notice the recent CERT published exploit warnings only mention 'TCP Streams' - I guess the chances are that the exploits are for UDP as well? Karl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message