[unisog] DNS over TCP should we block

Steve Knodle slk at it.bu.edu
Wed Jan 5 15:40:29 GMT 2005

Please note that Boston University's mail gateway, "bu.edu",
has an MX record greater than 512 bytes.  MTA's that cannot
fail over from UDP to TCP (unpatched QMAIL, for example), are
known to return DNS-lookup failures.  So the risks
of causing silent failures by tinkering with this standard protocol are
not purely academic.

Steve Knodle
slk at bu.edu

Senior Systems Analyst
Office of Information Technology
Boston University
11 Cummington Street
Boston MA 02115
(617) 353-8016

On Tue, 4 Jan 2005, Reg Quinton wrote:

> > The threats that the original poster may want to avoid should be
> > discussed;
> > without this discussion, it's not possible to say whether blocking DNS
> > over
> > TCP (from where to where?) is the best way to mitigate them.  If zone
> > transfers are the threat in question:
> If all you worry about is zone transfers that's fine. But I'd suggest you
> not wait for the problems you haven't anticipated -- block it if you can. A
> well honored security principle is to never expose a service unless you have
> to.
> IMHO there's no need for anyone other than our campus DNS servers to conduct
> DNS conversations with remote systems.
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

More information about the unisog mailing list