[unisog] DNS over TCP should we block

Glenn Forbes Fleming Larratt glratt at rice.edu
Wed Jan 5 16:31:17 GMT 2005


Oddly enough, it works over UDP for me. I don't know but what that may
be a protocol extension ("OPT UPDsize=4096"?):

10:25:54.669737 IP (tos 0x0, ttl 253, id 21791, offset 0, flags [DF], length: 63) our.net.DNS.svr.32786 > 128.197.253.182.53: [udp sum ok]  29721% [1au] MX? bu.edu. ar: . OPT UDPsize=2048 (35)
	0x0000:  4500 003f 551f 4000 fd11 0a84 xxxx xxxx  E..?U. at ......*.d
	0x0010:  80c5 fdb6 8012 0035 002b 71b8 7419 0010  .......5.+q.t...
	0x0020:  0001 0000 0000 0001 0262 7503 6564 7500  .........bu.edu.
	0x0030:  000f 0001 0000 2908 0000 0080 0000 00    ......)........
10:25:54.718929 IP (tos 0x0, ttl  54, id 0, offset 0, flags [DF], length: 912) 128.197.253.182.53 > our.net.DNS.svr.32786: [udp sum ok]  29721*- q: MX? bu.edu. 12/4/30 bu.edu. MX relay-mx10.bu.edu. 18, bu.edu. MX bu.edu. 20, bu.edu. MX relay.bu.edu. 8, bu.edu. MX relay-mx1.bu.edu. 9, bu.edu. MX relay-mx2.bu.edu. 10, bu.edu. MX relay-mx3.bu.edu. 11, bu.edu. MX relay-mx4.bu.edu. 12, bu.edu. MX relay-mx5.bu.edu. 13, bu.edu. MX relay-mx6.bu.edu. 14, bu.edu. MX relay-mx7.bu.edu. 15, bu.edu. MX relay-mx8.bu.edu. 16, bu.edu. MX relay-mx9.bu.edu. 17 ns: bu.edu. NS edns01.bu.edu., bu.edu. NS edns02.bu.edu., bu.edu. NS edns03.bu.edu., bu.edu. NS dnsbuild.bu.edu. ar: relay.bu.edu. A 128.197.27.247, relay.bu.edu. A 128.197.27.248, relay.bu.edu. A 128.197.27.249, relay.bu.edu. A 128.197.27.250, relay.bu.edu. A 128.197.27.251, relay.bu.edu. A 128.197.27.252, relay.bu.edu. A 128.197.27.197, relay.bu.edu. A 128.197.27.198, relay-mx1.bu.edu. A 128.197.27.198, relay-mx1.bu.edu. A 128.197.27.24
 8, relay-mx1.bu.edu. A 128.197.27.249, relay-mx1.bu.edu. A 128.197.27.252, relay-mx2.bu.edu. A 128.197.27.197, relay-mx2.bu.edu. A 128.197.27.247, relay-mx2.bu.edu. A 128.197.27.250, relay-mx2.bu.edu. A 128.197.27.251, relay-mx3.bu.edu. A 128.197.27.252, relay-mx4.bu.edu. A 128.197.27.251, relay-mx5.bu.edu. A 128.197.27.250, relay-mx6.bu.edu. A 128.197.27.249, relay-mx7.bu.edu. A 128.197.27.248, relay-mx8.bu.edu. A 128.197.27.247, relay-mx9.bu.edu. A 128.197.27.198, relay-mx10.bu.edu. A 128.197.27.197, bu.edu. A 128.197.27.7, edns01.bu.edu. A 128.197.253.182, edns02.bu.edu. A 168.122.254.62, edns03.bu.edu. A 192.12.188.130, dnsbuild.bu.edu. A 128.197.253.140, . OPT UDPsize=4096 (884)
	0x0000:  4500 0390 0000 4000 3611 2353 80c5 fdb6  E..... at .6.#S....
	0x0010:  xxxx xxxx 0035 8012 037c 1742 7419 8400  .*.d.5...|.Bt...
	0x0020:  0001 000c 0004 001e 0262 7503 6564 7500  .........bu.edu.
	0x0030:  000f 0001 c00c 000f 0001 0000 0e10 000f  ................
	0x0040:  0012 0a72 656c 6179 2d6d 7831 30c0 0cc0  ...relay-mx10...
	0x0050:  0c00 0f00 0100 000e 1000 0400 14c0 0cc0  ................
	0x0060:  0c00 0f00 0100 000e 1000 0a00 0805 7265  ..............re
	0x0070:  6c61 79c0 0cc0 0c00 0f00 0100 000e 1000  lay.............
	0x0080:  0e00 0909 7265 6c61 792d 6d78 31c0 0cc0  ....relay-mx1...
	0x0090:  0c00 0f00 0100 000e 1000 0e00 0a09 7265  ..............re
	0x00a0:  6c61 792d 6d78 32c0 0cc0 0c00 0f00 0100  lay-mx2.........
	0x00b0:  000e 1000 0e00 0b09 7265 6c61 792d 6d78  ........relay-mx
	0x00c0:  33c0 0cc0 0c00 0f00 0100 000e 1000 0e00  3...............
	0x00d0:  0c09 7265 6c61 792d 6d78 34c0 0cc0 0c00  ..relay-mx4.....
	0x00e0:  0f00 0100 000e 1000 0e00 0d09 7265 6c61  ............rela
	0x00f0:  792d 6d78 35c0 0cc0 0c00 0f00 0100 000e  y-mx5...........
	0x0100:  1000 0e00 0e09 7265 6c61 792d 6d78 36c0  ......relay-mx6.
	0x0110:  0cc0 0c00 0f00 0100 000e 1000 0e00 0f09  ................
	0x0120:  7265 6c61 792d 6d78 37c0 0cc0 0c00 0f00  relay-mx7.......
	0x0130:  0100 000e 1000 0e00 1009 7265 6c61 792d  ..........relay-
	0x0140:  6d78 38c0 0cc0 0c00 0f00 0100 000e 1000  mx8.............
	0x0150:  0e00 1109 7265 6c61 792d 6d78 39c0 0cc0  ....relay-mx9...
	0x0160:  0c00 0200 0100 0151 8000 0906 6564 6e73  .......Q....edns
	0x0170:  3031 c00c c00c 0002 0001 0001 5180 0009  01..........Q...
	0x0180:  0665 646e 7330 32c0 0cc0 0c00 0200 0100  .edns02.........
	0x0190:  0151 8000 0906 6564 6e73 3033 c00c c00c  .Q....edns03....
	0x01a0:  0002 0001 0001 5180 000b 0864 6e73 6275  ......Q....dnsbu
	0x01b0:  696c 64c0 0cc0 5100 0100 0100 0151 8000  ild...Q......Q..
	0x01c0:  0480 c51b f7c0 5100 0100 0100 0151 8000  ......Q......Q..
	0x01d0:  0480 c51b f8c0 5100 0100 0100 0151 8000  ......Q......Q..
	0x01e0:  0480 c51b f9c0 5100 0100 0100 0151 8000  ......Q......Q..
	0x01f0:  0480 c51b fac0 5100 0100 0100 0151 8000  ......Q......Q..
	0x0200:  0480 c51b fbc0 5100 0100 0100 0151 8000  ......Q......Q..
	0x0210:  0480 c51b fcc0 5100 0100 0100 0151 8000  ......Q......Q..
	0x0220:  0480 c51b c5c0 5100 0100 0100 0151 8000  ......Q......Q..
	0x0230:  0480 c51b c6c0 6700 0100 0100 0151 8000  ......g......Q..
	0x0240:  0480 c51b c6c0 6700 0100 0100 0151 8000  ......g......Q..
	0x0250:  0480 c51b f8c0 6700 0100 0100 0151 8000  ......g......Q..
	0x0260:  0480 c51b f9c0 6700 0100 0100 0151 8000  ......g......Q..
	0x0270:  0480 c51b fcc0 8100 0100 0100 0151 8000  .............Q..
	0x0280:  0480 c51b c5c0 8100 0100 0100 0151 8000  .............Q..
	0x0290:  0480 c51b f7c0 8100 0100 0100 0151 8000  .............Q..
	0x02a0:  0480 c51b fac0 8100 0100 0100 0151 8000  .............Q..
	0x02b0:  0480 c51b fbc0 9b00 0100 0100 0151 8000  .............Q..
	0x02c0:  0480 c51b fcc0 b500 0100 0100 0151 8000  .............Q..
	0x02d0:  0480 c51b fbc0 cf00 0100 0100 0151 8000  .............Q..
	0x02e0:  0480 c51b fac0 e900 0100 0100 0151 8000  .............Q..
	0x02f0:  0480 c51b f9c1 0300 0100 0100 0151 8000  .............Q..
	0x0300:  0480 c51b f8c1 1d00 0100 0100 0151 8000  .............Q..
	0x0310:  0480 c51b f7c1 3700 0100 0100 0151 8000  ......7......Q..
	0x0320:  0480 c51b c6c0 2600 0100 0100 0151 8000  ......&......Q..
	0x0330:  0480 c51b c5c0 0c00 0100 0100 0151 8000  .............Q..
	0x0340:  0480 c51b 07c1 4f00 0100 0100 0151 8000  ......O......Q..
	0x0350:  0480 c5fd b6c1 6400 0100 0100 0151 8000  ......d......Q..
	0x0360:  04a8 7afe 3ec1 7900 0100 0100 0151 8000  ..z.>.y......Q..
	0x0370:  04c0 0cbc 82c1 8e00 0100 0100 0007 0800  ................
	0x0380:  0480 c5fd 8c00 0029 1000 0000 0000 0000  .......)........
10:25:54.767148 IP (tos 0x0, ttl 253, id 21792, offset 0, flags [DF], length: 72) our.net.DNS.svr.32786 > 128.197.253.182.53: [udp sum ok]  22742% [1au] A? dnsbuild.bu.edu. ar: . OPT UDPsize=2048 (44)
	0x0000:  4500 0048 5520 4000 fd11 0a7a xxxx xxxx  E..HU. at ....z.*.d
	0x0010:  80c5 fdb6 8012 0035 0034 0d17 58d6 0010  .......5.4..X...
	0x0020:  0001 0000 0000 0001 0864 6e73 6275 696c  .........dnsbuil
	0x0030:  6402 6275 0365 6475 0000 0100 0100 0029  d.bu.edu.......)
	0x0040:  0800 0000 8000 0000                      ........


		-g

				Glenn Forbes Fleming Larratt
				Rice University Networking
				glratt at rice.edu


On Wed, 5 Jan 2005, Steve Knodle wrote:

> Please note that Boston University's mail gateway, "bu.edu",
> has an MX record greater than 512 bytes.  MTA's that cannot
> fail over from UDP to TCP (unpatched QMAIL, for example), are
> known to return DNS-lookup failures.  So the risks
> of causing silent failures by tinkering with this standard protocol are
> not purely academic.
>
> Steve Knodle
> slk at bu.edu
>
> Senior Systems Analyst
> Office of Information Technology
> Boston University
> 11 Cummington Street
> Boston MA 02115
> (617) 353-8016
>
> On Tue, 4 Jan 2005, Reg Quinton wrote:
>
> > > The threats that the original poster may want to avoid should be
> > > discussed;
> > > without this discussion, it's not possible to say whether blocking DNS
> > > over
> > > TCP (from where to where?) is the best way to mitigate them.  If zone
> > > transfers are the threat in question:
> >
> > If all you worry about is zone transfers that's fine. But I'd suggest you
> > not wait for the problems you haven't anticipated -- block it if you can. A
> > well honored security principle is to never expose a service unless you have
> > to.
> >
> > IMHO there's no need for anyone other than our campus DNS servers to conduct
> > DNS conversations with remote systems.
> >
> > _______________________________________________
> > unisog mailing list
> > unisog at lists.sans.org
> > http://www.dshield.org/mailman/listinfo/unisog
> >
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
>




More information about the unisog mailing list