From owner-freebsd-security  Mon Jul 27 05:45:20 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id FAA09793
          for freebsd-security-outgoing; Mon, 27 Jul 1998 05:45:20 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from fledge.watson.org (root@COPLAND.CODA.CS.CMU.EDU [128.2.222.48])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA09787
          for <security@FreeBSD.ORG>; Mon, 27 Jul 1998 05:45:18 -0700 (PDT)
          (envelope-from robert@cyrus.watson.org)
Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.8.8/8.8.8) with SMTP id IAA07884;
	Mon, 27 Jul 1998 08:44:17 -0400 (EDT)
Date: Mon, 27 Jul 1998 08:44:17 -0400 (EDT)
From: Robert Watson <robert@cyrus.watson.org>
X-Sender: robert@fledge.watson.org
Reply-To: Robert Watson <robert+freebsd@cyrus.watson.org>
To: sthaug@nethelp.no
cc: jkb@best.com, netadmin@fastnet.co.uk, security@FreeBSD.ORG
Subject: Re: ipfw rules to allow DNS activity
In-Reply-To: <27146.901534320@verdi.nethelp.no>
Message-ID: <Pine.BSF.3.96.980727083742.7733E-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Mon, 27 Jul 1998 sthaug@nethelp.no wrote:

> > 	DNS uses UDP for resolver queries (most of the time).
> > 	DNS used TCP for zone transfers (always).
> > 	
> > 	If you don't want to allow zone transfer from that computer, don't
> > worry about allowing TCP as long as your DNS response will never exceed
> > 512 bytes.	
> > 	(yes I know one can also use xfrnets to stop unauthorized zone
> > transfers but this is ipfw talk *grin*)
> 
> Use the tools appropriate for the job. In this case, it's much better to
> use BIND 8, which allows you fine grained control over zone transfers.
> 
> It's not a good idea to block TCP port 53, because you may get TCP queries
> even if you don't have answers exceeding 512 bytes.

I understand from some of the people working on DNSsec at TIS that there
are some resolvers out there that *only* use TCP.  I also understand that
they are very rare.

The real issue, though, is the truncation issue.  With the increasing use
of multiple A and CNAME records for web load distribution (etc), this
limit is getting pushed.  Also, with the advent of DNSsec and
signatures/certs/etc passing through DNS, I think we can expect to see
more large DNS payloads going around.  I think there was a draft out at
one point on larger DNS packet size support -- no doubt someone will bump
up their UDP packet maximum at some point and we'll discver lots of buffer
overflows in everyone's DNS support? :)

  Robert N Watson 

Carnegie Mellon University            http://www.cmu.edu/
TIS Labs at Network Associates, Inc.  http://www.tis.com/
SafePort Network Services             http://www.safeport.com/
robert@fledge.watson.org              http://www.watson.org/~robert/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message