From owner-freebsd-isp  Fri May  1 18:55:30 1998
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id SAA08642
          for freebsd-isp-outgoing; Fri, 1 May 1998 18:55:30 -0700 (PDT)
          (envelope-from owner-freebsd-isp@FreeBSD.ORG)
Received: from DNS.Lamb.net (root@DNS.Lamb.net [207.90.181.1])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA08634
          for <isp@FreeBSD.ORG>; Fri, 1 May 1998 18:55:26 -0700 (PDT)
          (envelope-from ulf@Gatekeeper.Alameda.net)
Received: (from uucp@localhost)
	by DNS.Lamb.net (8.8.6/8.8.6) id SAA24162;
	Fri, 1 May 1998 18:55:01 -0700 (PDT)
Received: from gatekeeper.Alameda.net(207.90.181.2)
 via SMTP by DNS.Lamb.net, id smtpd024151; Fri May  1 18:54:32 1998
Received: (from ulf@localhost) by Gatekeeper.Alameda.net (8.8.6/8.7.6) id SAA09897; Fri, 1 May 1998 18:53:52 -0700 (PDT)
From: Ulf Zimmermann <ulf@Alameda.net>
Message-Id: <199805020153.SAA09897@Gatekeeper.Alameda.net>
Subject: Re: Named - Denied TCP connections, comments?
In-Reply-To: <354A61F3.76FB8400@tdx.co.uk> from Karl Pielorz at "May 2, 98 00:59:47 am"
To: kpielorz@tdx.co.uk (Karl Pielorz)
Date: Fri, 1 May 1998 18:53:52 -0700 (PDT)
Cc: isp@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL31 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> Am I just being very naive here?
> 
> We block all TCP connections to our name servers - and have done for about
> the past year...
> 
> As far as I know - this hasn't caused any ill effects, as DNS will use UDP
> by default - and only fall back to TCP if UDP fails or if performing a zone
> transfer, and to be honest if the network is so bad that UDP doesn't make it
> with the first few tries, TCP appears only to fail more gracefully (i.e.
> connection could not be established) rather than the 'black hole' time-out
> of UDP.
> 
> The only exceptions we allow are our 'up-stream' secondary and tertiary DNS
> servers.
> 
> Does anyone have any comments on this? (Comments of the non-flammable
> variety that is... ;-)
> 
> This isn't strictly freebsd related I know, but I did notice the recent CERT
> published exploit warnings only mention 'TCP Streams' - I guess the chances
> are that the exploits are for UDP as well?

A DNS lookup which causes more then 500 something bytes of information will
set a flag that there is more information and depending on the inquiring
client, it will initiate a tcp connection to get all informations.

> 
> 
> Karl
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-isp" in the body of the message
> 

Ulf.

---------------------------------------------------------------------
Ulf Zimmermann, 1525 Pacific Ave., Alameda, CA-94501, #: 510-769-2936
Alameda Networks, Inc. | http://www.Alameda.net  | Fax#: 510-521-5073

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message