RE: firewall / DNS question
From: Yiming Gong (yiming@security.zz.ha.cn)Date: 11/29/01
- Previous message: Richard Cotterell: "Re: Loading the ZoneAlarm firewall early"
- In reply to: novitiate: "firewall / DNS question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Yiming Gong" <yiming@security.zz.ha.cn> To: "novitiate" <novitiate@perlmonk.org>, <security-basics@securityfocus.com> Subject: RE: firewall / DNS question Date: Thu, 29 Nov 2001 14:29:51 +0800 Message-ID: <EIEJLJCFAJCPIDBBOEICMEJNCAAA.yiming@security.zz.ha.cn>
Hey,
I think Richard Stevens ;) has a just answer for your question on his book
<TCP/IP Illustrated>
these are the answer
"When the resolver issues a query and the response comes back with the TC
bit set ("truncated") it means the size of the response exceeded 512 bytes,
so only the first 512 bytes were returned by the server. The resolver
normally issues the request again, using TCP. This allows more than 512
bytes to be returned. (Recall our discussion of the maximum UDP datagram
size in Section 11.10.) Since TCP breaks up a stream of user data into what
it calls segments, it can transfer any amount of user data, using multiple
segments.
Also, when a secondary name server for a domain starts up it performs a zone
transfer from the primary name server for the domain. We also said that the
secondary queries the primary on a regular basis (often every 3 hours) to
see if the primary has had its tables updated, and if so, a zone transfer is
performed. Zone transfers are done using TCP, since there is much more data
to transfer than a single query or response. "
And if you want to limit DNS zone transfers,why not use keyword
"allow-transfer",It can solve you question easily !
e.g.
options {
allow-transfer {ip.of.trust.server;}
};
-- 我要更好的生活Yiming Gong Senior System Administrator China Telcom yiming@security.zz.ha.cn http://security.zz.ha.cn 0086-0371-7934907
> -----Original Message----- > From: novitiate [mailto:novitiate@perlmonk.org] > Sent: Tuesday, November 27, 2001 10:59 PM > To: security-basics@securityfocus.com > Subject: firewall / DNS question > > > I want to limit DNS over TCP 53 to the servers that > do zone transfers with me. Will this in any way affect > resolvers that get responses bigger than a UDP packet will > allow ? The DNS rfc states that the TC bit is set in the > DNS header, but it does not specify what if any action is taken > by the resolver subsequent to that; i remember hearing that > the resolver then uses TCP as the transport for the query. > > Can anyone help me on this one ? > > novitiate >
- Previous message: Richard Cotterell: "Re: Loading the ZoneAlarm firewall early"
- In reply to: novitiate: "firewall / DNS question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
