[unisog] DNS over TCP should we block

Jim Duncan jnduncan at cisco.com
Tue Jan 4 19:37:10 GMT 2005

Hash: SHA1

Vijay S Sarvepalli VSSARVEP writes:
| This may have been discussed already.  I think DNS over TCP needs to be
| allowed on the outgoing.  [...]
| I am not sure can someone shed light on this?

This is a seriously misunderstood problem.  Any time a DNS response is too
large to fit into a single UDP packet, the system has to retry using a
virtual circuit, i.e., TCP.

Very many people -- including a lot of DNS "experts" -- believe that TCP is
only used for zone transfers, and that by blocking it one is protecting
wholesale leakage of one's DNS space.  That is short-sighted.

Blocking TCP port 53 causes all sorts of interesting and bizarre problems
that are difficult to associate with the real cause, and thus many of the
"experts" never fully realize the problem they've caused.

Please don't block it without thinking carefully about the results.

I hope this is helpful.


Jim Duncan, jnduncan at cisco.com, +1 919 392 6209
Critical Infrastructure Assurance Group, Cisco Systems, Inc.
Group URL: http://cisco.com/security_services/ciag/.
PGP: DSS 4096/1024 E09E EA55 DA28 1399 75EB D6A2 7092 9A9C 6DC3 1821

Version: GnuPG v1.2.5 (MingW32)


More information about the unisog mailing list