RE: DNS Records

["David Gillett" <gillettdavid () fhda edu>]

  Unfortunately, this approach may be subject to semi-random
failures, because it embodies a common misconception about 
how DNS works.

  A DNS server will use TCP instead of UDP to return the
results of a query if the size of the result exceeds some
threshold value, even if the original query was not a 
zone transfer request.
  For many simple domains, this may never happen in normal
operation, but it's not safe to assume that all domains have
this property.  A properly-configured all-purpose DNS server
needs access to both 53/udp and 53/tcp.

  The correct way to block zone transfers is in the DNS server
software config, not the firewall.

David Gillett

> -----Original Message-----
> From: Charlie Winckless [mailto:CharlieW () netarch com]
> Sent: June 18, 2003 16:27
> To: security-basics () securityfocus com
> Subject: RE: DNS Records
>
> Zone transfers happen on 53/TCP, rather than the 53/UDP that 
> is used for typical lookups.
>
> As such, if your DNS server is behind a firewall you have
> the option of layered security.
>
> You can configure your DNS server as below -- to only allow
> zone transfers from known servers (those which serve as 
> secondarys for the domains that that server is authoritative
> for at a minimum) and only allow 53/TCP connections from
> those systems.
>
> Just in case. :)
>
> - -- Charlie


---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------