[unisog] DNS over TCP should we block

John Kristoff jtk at northwestern.edu
Tue Jan 4 19:30:59 GMT 2005


On Tue, 4 Jan 2005 14:01:30 -0500
Vijay S Sarvepalli VSSARVEP <VSSARVEP at uncg.edu> wrote:

> This may have been discussed already.  I think DNS over TCP needs to be 
> allowed on the outgoing.  I tried to block and log this type of outgoing 
> queries FROM MY SOURCE IP (1023+) => REMOTE SERVERS (53) TCP

DNS over TCP should be permitted, in both directions.  Some things
will break if you do not allow it.

> This seems to drop some long reverse dns lookup and some reverse dns that 
> seems to be carved out less than class c

In general it will drop zone transfers, which may be your intention,
but also anything that doesn't fit in a 512 byte response.  This may
include a number of things, apparently you've recently seen but one
example.

Take a look at the second half of the following presentation to get
an idea of the sort of bad thing that can happen when DNS over TCP is
filtered:

  <http://www.nanog.org/mtg-0410/toyama.html>

Permit DNS over TCP and monitor.

John



More information about the unisog mailing list