Security Basics mailing list archives

RE: TCP DNS requests

From: "Mike Powell" <mpowell () mijk dnsalias com>
Date: Wed, 30 Oct 2002 22:56:44 -0000

Carl

I believe that DNS lookups use UDP because the request and response can
each fit into one packet.  If a DNS request is for some reason larger
than 512 bytes which is the maximum size for a UDP packet (RFC1035 [6])
then the client will use TCP instead.  Closing this port to internal
clients could therefore prevent some DNS lookups.

Why some lookups would be larger I guess would depend on the length of
the domain name contained in the packet(s)?

Mike Powell
Barry College
Wales
mpowell () barry ac uk 


-----Original Message-----
From: Carl R Diliberto [mailto:cdiliberto () hotmail com] 
Sent: 30 October 2002 13:46
To: security-basics
Subject: TCP DNS requests

We are reporting TCP based DNS requests to one of our DNS servers coming
from internal, client IP addresses.  My manager would like to block the
TCP
packets.  What or why would their be random TCP packets?  We monitored
several clients and it appears it only needs UDP.

Thanks
Carl

Current thread:

TCP DNS requests Carl R Diliberto (Oct 30)
- Re: TCP DNS requests Douglas K. Fischer (Oct 31)
- RE: TCP DNS requests Daniel Miessler (Oct 31)
- RE: TCP DNS requests Larry R. (Oct 31)
- <Possible follow-ups>
- Re: TCP DNS requests Martin Wasson (Oct 31)
- RE: TCP DNS requests Raghu Chinthoju (Oct 31)
- RE: TCP DNS requests Meidling, Keith, CTR, OSD-C3I (Oct 31)
- RE: TCP DNS requests Mike Powell (Oct 31)