RE: Pubstro rash
From: Joshua Berry (jberry_at_PENSON.COM)
Date: 03/18/05
- Previous message: David LeBlanc: "RE: Pubstro rash"
- Maybe in reply to: David Gillett: "Pubstro rash"
- Next in thread: Jeff Kell: "Re: Pubstro rash"
- Reply: Jeff Kell: "Re: Pubstro rash"
- Reply: Valdis.Kletnieks_at_vt.edu: "Re: Pubstro rash"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 18 Mar 2005 09:30:51 -0600 To: "Jeff Kell" <jeff-kell@utc.edu>, <alexandre.skyrme@ciphersec.com.br>
I have never had a DNS query that had a response that was over 512
bytes. For that reason I disable all inbound DNS over 53/tcp. I have
been using this configuration for years and even run my own DNS servers
and have see absolutely no problems.
-----Original Message-----
From: Jeff Kell [mailto:jeff-kell@utc.edu]
Sent: Thursday, March 17, 2005 6:07 PM
To: alexandre.skyrme@ciphersec.com.br
Cc: incidents@securityfocus.com; gillettdavid@fhda.edu
Subject: Re: Pubstro rash
Alexandre Skyrme wrote:
> Greetings David,
>
> Just a thought about your third comment...
>
> As far as I'm concerned DNS just uses 53/TCP to do zone transfers. In
case
> your workstations are on a different network than your DNS servers it
should
> probably be safe to block incoming TCP connections to that network on
such
> port.
>
> Tipically zone transfers would only be used by secondary servers to
update
> their own zones from its primary server.
RFC1035 allows 512 bytes for a DNS response (53) but they may now be
longer, according to RFC2671 and others. If the DNS query fails or is
"truncated", the query may be repeated over TCP.
So, 53/tcp is NOT just for zone transfers.
Jeff
- Previous message: David LeBlanc: "RE: Pubstro rash"
- Maybe in reply to: David Gillett: "Pubstro rash"
- Next in thread: Jeff Kell: "Re: Pubstro rash"
- Reply: Jeff Kell: "Re: Pubstro rash"
- Reply: Valdis.Kletnieks_at_vt.edu: "Re: Pubstro rash"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
