[unisog] DNS over TCP should we block

Florian Weimer fw at deneb.enyo.de
Wed Jan 5 00:43:31 GMT 2005


* Vijay S. Sarvepalli VSSARVEP:

> A) First problem:  I was thinking of blocking outgoing DNS over TCP from my
> servers as you know less services allowed through the firewall
> less trouble to worry about.

Apart from zone file transfers, DNS over TCP is the same protocol as
DNS over UDP.  In the past, vulnerabilities in TCP-based DNS also
affected UDP-based DNS.

Blocking resolver service for external networks is much, much more
important.  However, unless you operate one of the modern firewalling
devices which have lots of vulnerabilities on their own, filtering
resolver service is much harder because it might inadvertently run on
authoritative name servers, too.

> 3)  DOS attack on TCP port 53.

You've got the wrong perspective on this one.  DoS on 53/UDP is much
hard to defend against than DoS on 53/TCP.  The trouble with DNS is
that there is no way to identify non-spoofed sources in a statless
manner.  Therefore, it's been proposed to answer requests of unknown
origin with a truncated response, to force the resolver to requery
over TCP.  Now apply SYN cookies.  (Another option are fake CNAME
records which contain the cookie, but there's the disadvantage of
altered DNS data.)

There's a patent application from Riverhead, and Ri^H^HCisco Guard
probably implements it.



More information about the unisog mailing list