Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 1 May 1998 18:53:52 -0700 (PDT)
From:      Ulf Zimmermann <ulf@Alameda.net>
To:        kpielorz@tdx.co.uk (Karl Pielorz)
Cc:        isp@FreeBSD.ORG
Subject:   Re: Named - Denied TCP connections, comments?
Message-ID:  <199805020153.SAA09897@Gatekeeper.Alameda.net>
In-Reply-To: <354A61F3.76FB8400@tdx.co.uk> from Karl Pielorz at "May 2, 98 00:59:47 am"
next in thread | previous in thread | raw e-mail | index | archive | help 
> Am I just being very naive here?
> 
> We block all TCP connections to our name servers - and have done for about
> the past year...
> 
> As far as I know - this hasn't caused any ill effects, as DNS will use UDP
> by default - and only fall back to TCP if UDP fails or if performing a zone
> transfer, and to be honest if the network is so bad that UDP doesn't make it
> with the first few tries, TCP appears only to fail more gracefully (i.e.
> connection could not be established) rather than the 'black hole' time-out
> of UDP.
> 
> The only exceptions we allow are our 'up-stream' secondary and tertiary DNS
> servers.
> 
> Does anyone have any comments on this? (Comments of the non-flammable
> variety that is... ;-)
> 
> This isn't strictly freebsd related I know, but I did notice the recent CERT
> published exploit warnings only mention 'TCP Streams' - I guess the chances
> are that the exploits are for UDP as well?

A DNS lookup which causes more then 500 something bytes of information will
set a flag that there is more information and depending on the inquiring
client, it will initiate a tcp connection to get all informations.

> 
> 
> Karl
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-isp" in the body of the message
> 

Ulf.

---------------------------------------------------------------------
Ulf Zimmermann, 1525 Pacific Ave., Alameda, CA-94501, #: 510-769-2936
Alameda Networks, Inc. | http://www.Alameda.net  | Fax#: 510-521-5073

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199805020153.SAA09897>