Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 1 May 1998 20:11:19 -0700
From:      Don Lewis <Don.Lewis@tsc.tdk.com>
To:        Karl Pielorz <kpielorz@tdx.co.uk>, isp@FreeBSD.ORG
Subject:   Re: Named - Denied TCP connections, comments?
Message-ID:  <199805020311.UAA12472@salsa.gv.tsc.tdk.com>
In-Reply-To: Karl Pielorz <kpielorz@tdx.co.uk> "Named - Denied TCP connections, comments?" (May  2, 12:59am)

next in thread | previous in thread | raw e-mail | index | archive | help
On May 2, 12:59am, Karl Pielorz wrote:
} Subject: Named - Denied TCP connections, comments?
} Am I just being very naive here?
} 
} We block all TCP connections to our name servers - and have done for about
} the past year...
} 
} As far as I know - this hasn't caused any ill effects, as DNS will use UDP
} by default - and only fall back to TCP if UDP fails or if performing a zone
} transfer, and to be honest if the network is so bad that UDP doesn't make it
} with the first few tries, TCP appears only to fail more gracefully (i.e.
} connection could not be established) rather than the 'black hole' time-out
} of UDP.

For general queries, TCP won't be used just because no response was
received for a UDP query.  The only exception to this rule is the SOA
queries that BIND does in preparation for a zone transfer, which will
require TCP for the actual zone transfer.

Be aware though, that there are some clients that only know how to
use TCP (some flavor of an IBM mainframe OS as I recall).  Also, newer
versions of BIND (>= 8.1) will retry a query using TCP if the answer is
so long that the response to a UDP query is truncated and has the TC bit
set.  You run into this in the future as the size of DNS responses
increases.

} Does anyone have any comments on this? (Comments of the non-flammable
} variety that is... ;-)

I think the host requirements RFCs require TCP support, but also say
UDP should be used whenever possible.

} This isn't strictly freebsd related I know, but I did notice the recent CERT
} published exploit warnings only mention 'TCP Streams' - I guess the chances
} are that the exploits are for UDP as well?

Probably.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199805020311.UAA12472>