Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Pubstro rash

From: "Joshua Berry" <jberry () PENSON COM>
Date: Fri, 18 Mar 2005 09:30:51 -0600
I have never had a DNS query that had a response that was over 512
bytes.  For that reason I disable all inbound DNS over 53/tcp.  I have
been using this configuration for years and even run my own DNS servers
and have see absolutely no problems.

-----Original Message-----
From: Jeff Kell [mailto:jeff-kell () utc edu] 
Sent: Thursday, March 17, 2005 6:07 PM
To: alexandre.skyrme () ciphersec com br
Cc: incidents () securityfocus com; gillettdavid () fhda edu
Subject: Re: Pubstro rash

Alexandre Skyrme wrote:

Greetings David,

Just a thought about your third comment...

As far as I'm concerned DNS just uses 53/TCP to do zone transfers. In

case

your workstations are on a different network than your DNS servers it

should

probably be safe to block incoming TCP connections to that network on

such

port.

Tipically zone transfers would only be used by secondary servers to

update

their own zones from its primary server.


RFC1035 allows 512 bytes for a DNS response (53) but they may now be 
longer, according to RFC2671 and others.  If the DNS query fails or is 
"truncated", the query may be repeated over TCP.

So, 53/tcp is NOT just for zone transfers.

Jeff
Previous By Date Next
Previous By Thread Next

Current thread: