[unisog] DNS over TCP should we block

hermit921 hermit921 at yahoo.com
Tue Jan 4 19:44:52 GMT 2005


Response packets over a certain size can't fit into a UDP packet, so TCP is 
required.  However, many places block TCP 53 because that also is the 
avenue for zone transfers, something you don't want to happen.  These days 
you can more securely configure the DNS server so it doesn't have to be as 
much of an issue, but we still have the TCP 53 port blocked at the 
perimeter anyway.

hermit921


>On 1/4/05 2:01 PM, "Vijay S Sarvepalli VSSARVEP" <VSSARVEP at uncg.edu> wrote:
>
> > This may have been discussed already.  I think DNS over TCP needs to be
> > allowed on the outgoing.  I tried to block and log this type of outgoing
> > queries
> > FROM MY SOURCE IP (1023+) => REMOTE SERVERS (53) TCP
> >
> > This seems to drop some long reverse dns lookup and some reverse dns that
> > seems to be carved out less than class c
> > for e.g.
> >
> > 220.11.13.144.in-addr.arpa.     CNAME
> > 220-227-customer-700-block-west-singapore .11.13.14.in-addr.arpa
> > 220-227-customer-700-block-west-singapore .11.13.14.in-addr.arpa.   NS
> > nsab.teledyne.com
> >
> > These type of queries exceed 512 bytes and require TCP ??
> > iptables log example from a linux host running named.. ->
> > IN= OUT=eth0 SRC=X.X.X.X DST=Y.Y.Y.Y LEN=60 TOS=0x00 PREC=0x00 TTL=64
> > ID=58067 DF PROTO=TCP SPT=49758 DPT=53 WINDOW=5840 RES=0x00 SYN URGP=0
> >
> > I am not sure can someone shed light on this?
> >
> > Vijay




More information about the unisog mailing list