RE: TCP DNS requests

["Wolf, Glenn" <glenn.wolf () we-inc com>]

Note that you can sometimes have tcp/53 connections for queries.  For
instance, on Windows nslookup, if you do "ls domain.name" you can see the
tcp/53 connection in netstat.

Glenn


> From the comp.protocols.tcp-ip.domains Frequently Asked Questions (FAQ):
-----------------------------------------------------------------------

 Date: Fri Feb 10 15:40:10 EST 1995
 Subject: Q1.16 - DNS ports
 
 Q: Does anyone out there have any information/experience on exactly which
    TCP/UDP ports DNS uses to send and receive queries ?
 
 A: Use the following chart:
 
    Prot Src   Dst   Use
    udp  53    53    Queries between servers (eg, recursive queries)
                     Replies to above
    tcp  53    53    Queries with long replies between servers, zone
                     transfers Replies to above
    udp  >1023 53    Client queries (sendmail, nslookup, etc ...)
    udp  53    >1023 Replies to above
    tcp  >1023 53    Client queries with long replies
    tcp  53    >1023 Replies to above
 
    Note: >1023 is for non-priv ports on Un*x clients. On other client
          types, the limit may be more or less.
 
    Another point to keep in mind when designing filters for DNS is that a
    DNS server uses port 53 both as the source and destination for it's
    queries.  So, a client queries an initial server from an unreserved
    port number to UDP port 53.  If the server needs to query another
    server to get the required info, it sends a UDP query to that server
    with both source and destination ports set to 53.  The response is then
    sent with the same src=53 dest=53 to the first server which then
    responds to the original client from port 53 to the original source
    port number.
 
    The point of all this is that putting in filters to only allow UDP
    between a high port and port 53 will not work correctly, you must also
    allow the port 53 to port 53 UDP to get through.
 
    Also, ALL versions of BIND use TCP for queries in some cases.  The
    original query is tried using UDP.  If the response is longer than
    the allocated buffer, the resolver will retry the query using a TCP
    connection.  If you block access to TCP port 53 as suggested above,
    you may find that some things don't work.


-----Original Message-----
From: Leonard.Ong () nokia com [mailto:Leonard.Ong () nokia com] 
Sent: Thursday, October 31, 2002 5:51 PM
To: security-basics () securityfocus com
Subject: RE: TCP DNS requests


Yes, I am confirming this. Zone transfer uses TCP/53, while queries use
UDP/53.


Regards,
Leonard Ong
Network Security Specialist, APAC
NOKIA

Email.  Leonard.Ong () nokia com
Mobile. +65 9431 6184
Phone.  +65 6723 1724
Fax.    +65 6723 1596



-----Original Message-----
From: ext Daniel Miessler [mailto:danielrm26 () hotmail com]
Sent: Friday, November 01, 2002 1:20 AM
To: 'Carl R Diliberto'; 'security-basics'
Subject: RE: TCP DNS requests


Zone Transfers use TCP instead of UDP on port 53.  That is most likely what
you are seeing.

--Daniel

> We are reporting TCP based DNS requests to one of our DNS servers
coming
> from internal, client IP addresses.  My manager would like to block
the TCP
> packets.  What or why would their be random TCP packets?  We monitored 
> several clients and it appears it only needs UDP.