Date: Sat, 02 May 1998 00:59:47 +0100 From: Karl Pielorz <kpielorz@tdx.co.uk> To: isp@FreeBSD.ORG Subject: Named - Denied TCP connections, comments? Message-ID: <354A61F3.76FB8400@tdx.co.uk>
next in thread | raw e-mail | index | archive | help
Am I just being very naive here? We block all TCP connections to our name servers - and have done for about the past year... As far as I know - this hasn't caused any ill effects, as DNS will use UDP by default - and only fall back to TCP if UDP fails or if performing a zone transfer, and to be honest if the network is so bad that UDP doesn't make it with the first few tries, TCP appears only to fail more gracefully (i.e. connection could not be established) rather than the 'black hole' time-out of UDP. The only exceptions we allow are our 'up-stream' secondary and tertiary DNS servers. Does anyone have any comments on this? (Comments of the non-flammable variety that is... ;-) This isn't strictly freebsd related I know, but I did notice the recent CERT published exploit warnings only mention 'TCP Streams' - I guess the chances are that the exploits are for UDP as well? Karl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?354A61F3.76FB8400>