Security Basics mailing list archives
RE: TCP DNS requests
From: "Wolf, Glenn" <glenn.wolf () we-inc com>
Date: Fri, 1 Nov 2002 10:45:50 -0800
Note that you can sometimes have tcp/53 connections for queries. For instance, on Windows nslookup, if you do "ls domain.name" you can see the tcp/53 connection in netstat. Glenn
From the comp.protocols.tcp-ip.domains Frequently Asked Questions (FAQ):
----------------------------------------------------------------------- Date: Fri Feb 10 15:40:10 EST 1995 Subject: Q1.16 - DNS ports Q: Does anyone out there have any information/experience on exactly which TCP/UDP ports DNS uses to send and receive queries ? A: Use the following chart: Prot Src Dst Use udp 53 53 Queries between servers (eg, recursive queries) Replies to above tcp 53 53 Queries with long replies between servers, zone transfers Replies to above udp >1023 53 Client queries (sendmail, nslookup, etc ...) udp 53 >1023 Replies to above tcp >1023 53 Client queries with long replies tcp 53 >1023 Replies to above Note: >1023 is for non-priv ports on Un*x clients. On other client types, the limit may be more or less. Another point to keep in mind when designing filters for DNS is that a DNS server uses port 53 both as the source and destination for it's queries. So, a client queries an initial server from an unreserved port number to UDP port 53. If the server needs to query another server to get the required info, it sends a UDP query to that server with both source and destination ports set to 53. The response is then sent with the same src=53 dest=53 to the first server which then responds to the original client from port 53 to the original source port number. The point of all this is that putting in filters to only allow UDP between a high port and port 53 will not work correctly, you must also allow the port 53 to port 53 UDP to get through. Also, ALL versions of BIND use TCP for queries in some cases. The original query is tried using UDP. If the response is longer than the allocated buffer, the resolver will retry the query using a TCP connection. If you block access to TCP port 53 as suggested above, you may find that some things don't work. -----Original Message----- From: Leonard.Ong () nokia com [mailto:Leonard.Ong () nokia com] Sent: Thursday, October 31, 2002 5:51 PM To: security-basics () securityfocus com Subject: RE: TCP DNS requests Yes, I am confirming this. Zone transfer uses TCP/53, while queries use UDP/53. Regards, Leonard Ong Network Security Specialist, APAC NOKIA Email. Leonard.Ong () nokia com Mobile. +65 9431 6184 Phone. +65 6723 1724 Fax. +65 6723 1596 -----Original Message----- From: ext Daniel Miessler [mailto:danielrm26 () hotmail com] Sent: Friday, November 01, 2002 1:20 AM To: 'Carl R Diliberto'; 'security-basics' Subject: RE: TCP DNS requests Zone Transfers use TCP instead of UDP on port 53. That is most likely what you are seeing. --Daniel
We are reporting TCP based DNS requests to one of our DNS servers
coming
from internal, client IP addresses. My manager would like to block
the TCP
packets. What or why would their be random TCP packets? We monitored several clients and it appears it only needs UDP.
Current thread:
- RE: TCP DNS requests Paris E. Stone (Oct 31)
- <Possible follow-ups>
- RE: TCP DNS requests Willis, Mark (Nov 01)
- RE: TCP DNS requests Douglas K. Fischer (Nov 01)
- RE: TCP DNS requests Leonard.Ong (Nov 01)
- RE: TCP DNS requests Wolf, Glenn (Nov 01)
- RE: TCP DNS requests Royans Tharakan (Nov 01)