[unisog] DNS over TCP should we block

Vijay S Sarvepalli VSSARVEP VSSARVEP at uncg.edu
Tue Jan 4 19:01:30 GMT 2005


This may have been discussed already.  I think DNS over TCP needs to be 
allowed on the outgoing.  I tried to block and log this type of outgoing 
queries
FROM MY SOURCE IP (1023+) => REMOTE SERVERS (53) TCP

This seems to drop some long reverse dns lookup and some reverse dns that 
seems to be carved out less than class c
for e.g.

220.11.13.144.in-addr.arpa.     CNAME 
220-227-customer-700-block-west-singapore .11.13.14.in-addr.arpa
220-227-customer-700-block-west-singapore .11.13.14.in-addr.arpa.   NS 
nsab.teledyne.com

These type of queries exceed 512 bytes and require TCP ?? 
iptables log example from a linux host running named.. ->
IN= OUT=eth0 SRC=X.X.X.X DST=Y.Y.Y.Y LEN=60 TOS=0x00 PREC=0x00 TTL=64 
ID=58067 DF PROTO=TCP SPT=49758 DPT=53 WINDOW=5840 RES=0x00 SYN URGP=0

I am not sure can someone shed light on this?

Vijay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/unisog/attachments/20050104/32e1f45b/attachment.htm


More information about the unisog mailing list