From owner-freebsd-security Mon Jul 27 05:45:20 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA09793 for freebsd-security-outgoing; Mon, 27 Jul 1998 05:45:20 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (root@COPLAND.CODA.CS.CMU.EDU [128.2.222.48]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA09787 for ; Mon, 27 Jul 1998 05:45:18 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id IAA07884; Mon, 27 Jul 1998 08:44:17 -0400 (EDT) Date: Mon, 27 Jul 1998 08:44:17 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: sthaug@nethelp.no cc: jkb@best.com, netadmin@fastnet.co.uk, security@FreeBSD.ORG Subject: Re: ipfw rules to allow DNS activity In-Reply-To: <27146.901534320@verdi.nethelp.no> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 27 Jul 1998 sthaug@nethelp.no wrote: > > DNS uses UDP for resolver queries (most of the time). > > DNS used TCP for zone transfers (always). > > > > If you don't want to allow zone transfer from that computer, don't > > worry about allowing TCP as long as your DNS response will never exceed > > 512 bytes. > > (yes I know one can also use xfrnets to stop unauthorized zone > > transfers but this is ipfw talk *grin*) > > Use the tools appropriate for the job. In this case, it's much better to > use BIND 8, which allows you fine grained control over zone transfers. > > It's not a good idea to block TCP port 53, because you may get TCP queries > even if you don't have answers exceeding 512 bytes. I understand from some of the people working on DNSsec at TIS that there are some resolvers out there that *only* use TCP. I also understand that they are very rare. The real issue, though, is the truncation issue. With the increasing use of multiple A and CNAME records for web load distribution (etc), this limit is getting pushed. Also, with the advent of DNSsec and signatures/certs/etc passing through DNS, I think we can expect to see more large DNS payloads going around. I think there was a draft out at one point on larger DNS packet size support -- no doubt someone will bump up their UDP packet maximum at some point and we'll discver lots of buffer overflows in everyone's DNS support? :) Robert N Watson Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message