Date: Fri, 1 May 1998 20:11:19 -0700 From: Don Lewis <Don.Lewis@tsc.tdk.com> To: Karl Pielorz <kpielorz@tdx.co.uk>, isp@FreeBSD.ORG Subject: Re: Named - Denied TCP connections, comments? Message-ID: <199805020311.UAA12472@salsa.gv.tsc.tdk.com> In-Reply-To: Karl Pielorz <kpielorz@tdx.co.uk> "Named - Denied TCP connections, comments?" (May 2, 12:59am)
next in thread | previous in thread | raw e-mail | index | archive | help
On May 2, 12:59am, Karl Pielorz wrote: } Subject: Named - Denied TCP connections, comments? } Am I just being very naive here? } } We block all TCP connections to our name servers - and have done for about } the past year... } } As far as I know - this hasn't caused any ill effects, as DNS will use UDP } by default - and only fall back to TCP if UDP fails or if performing a zone } transfer, and to be honest if the network is so bad that UDP doesn't make it } with the first few tries, TCP appears only to fail more gracefully (i.e. } connection could not be established) rather than the 'black hole' time-out } of UDP. For general queries, TCP won't be used just because no response was received for a UDP query. The only exception to this rule is the SOA queries that BIND does in preparation for a zone transfer, which will require TCP for the actual zone transfer. Be aware though, that there are some clients that only know how to use TCP (some flavor of an IBM mainframe OS as I recall). Also, newer versions of BIND (>= 8.1) will retry a query using TCP if the answer is so long that the response to a UDP query is truncated and has the TC bit set. You run into this in the future as the size of DNS responses increases. } Does anyone have any comments on this? (Comments of the non-flammable } variety that is... ;-) I think the host requirements RFCs require TCP support, but also say UDP should be used whenever possible. } This isn't strictly freebsd related I know, but I did notice the recent CERT } published exploit warnings only mention 'TCP Streams' - I guess the chances } are that the exploits are for UDP as well? Probably. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199805020311.UAA12472>