Re: Firewall question

From: PES (pestewart@adelphia.net)
Date: 03/15/03

• Next message: Manne Laukkanen: "Re: Keystroke Monitoring Software"
• Previous message: Ric Griffy: "Re: Firewall question"
• In reply to: PES: "Re: Firewall question"
• Next in thread: Wayne McGlinn: "Re: Firewall question"
• Reply: Wayne McGlinn: "Re: Firewall question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "PES" <pestewart@adelphia.net>
Date: Sat, 15 Mar 2003 12:05:38 -0500

My bad. Lars is correct per rfc 1912
http://www.ietf.org/rfc/rfc1912.txt?number=1912 . This is contrary to rfc
1536 which specifies zone transfers, but it does not limit it to that.

Per the rfc
"You also run the risk of overflowing the 512-
   byte limit of a UDP packet in the response to an NS query. If this
   happens, resolvers will "fall back" to using TCP requests, resulting
   in increased load on your nameserver."

"PES" <pestewart@adelphia.net> wrote in message
news:3e7353a0$1_1@news.iglou.com...
> Me too, I find it hard to believe that a udp req could net a tcp reply.
> Obviously the dns client don't know the size of the response in advance
and
> would therefore issue the req as std udp.
>
>
> "Wayne McGlinn" <wmcglinn@optushome.com.au> wrote in message
> news:3e733226$0$5554$afc38c87@news.optusnet.com.au...
> >
> > > >You don't need TCP 53, only UDP 53. I don't suppose that your mail
> server
> > is
> > > >going to need to do zone transfers, just look up MX records.
> > > >
> > > >Chris.
> > > >
> > >
> > > 53 TCP is not only for zone transfers, but also larger DNS answers.
> > > Lars M. Hansen
> >
> > May I ask where you got this from? AFAIK, all DNS client lookups are
done
> > using UDP, whether recursive or iterative. The size of an answer should
> > make no difference. Sections 4.2 and 4.2.1 of RFC 1035 (STD13) refer to
> UDP
> > for lookups, TCP for Zone Transfers. I'd be appreciative if you could
> point
> > me to references about DNS queries using TCP.
> >
> > Wayne McGlinn
> > Brisbane, Oz
> >
> >
>
>

• Next message: Manne Laukkanen: "Re: Keystroke Monitoring Software"
• Previous message: Ric Griffy: "Re: Firewall question"
• In reply to: PES: "Re: Firewall question"
• Next in thread: Wayne McGlinn: "Re: Firewall question"
• Reply: Wayne McGlinn: "Re: Firewall question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: TCP DNS requests ... udp is used for normal domain queries. ... definitely stop any zone transfers, but the occasional DNS query might not ... My manager would like to block the TCP ... several clients and it appears it only needs UDP. ... (Security-Basics) MIT kpasswd RFC 3244 and TCP ... RFC 3244 says the server will support both UDP and TCP. ... Although the RFC does not say the client has to support TCP, ... (comp.protocols.kerberos) Re: which ports & protocols are necessary? ... :None of them use UDP, but don't forget the DNS service, ... only switches to TCP 53 for queries if the response had the "result was ... DNS uses TCP 53 for zone transfers not because going TCP is special but ... (comp.security.misc) Re: which ports & protocols are necessary? ... :None of them use UDP, but don't forget the DNS service, ... only switches to TCP 53 for queries if the response had the "result was ... DNS uses TCP 53 for zone transfers not because going TCP is special but ... (comp.security.firewalls) NFS problem with recent 2.6 kernels (also serial console weirdness) ... 100000 2 tcp 111 portmapper ... 100000 2 udp 111 portmapper ... mounted filesystem with ordered data mode. ... Mounted root (ext3 filesystem) readonly. ... (Linux-Kernel)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint