Firewall Wizards mailing list archives
Re: Does blocking TCP DNS packets keep your Bind safe?
From: "Steven M. Bellovin" <smb () research att com>
Date: Mon, 12 Mar 2001 16:30:53 -0500
In message <OFD4C17BEC.5B7E8C84-ON88256A0C.00169CE1@LocalDomain>, "Tony Rall" w rites:
All valid dns udp messages are no greater than 512 bytes (and this is one of the reasons why resolvers and servers need to be able to use tcp). It doesn't matter what version of bind is being used - this is explicitly required by rfc1035.
Yup; absolutely correct. It's also what's making it hard to deploy things like more root servers (there's no room for more A records in the packet) or DNSSEC -- signatures are big. See RFC 2671 for one proposed way around that limit -- but it doesn't do you any good today. Using UDP only for standard features and common responses is a major design goal for DNS architects. Yes, there is the provision for fallback to TCP, but that's *much* more expensive. --Steve Bellovin, http://www.research.att.com/~smb _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Does blocking TCP DNS packets keep your Bind safe?, (continued)
- Re: Does blocking TCP DNS packets keep your Bind safe? Andrew Huffer (Mar 10)
- Re: Does blocking TCP DNS packets keep your Bind safe? Bill_Royds (Mar 10)
- RE: Does blocking TCP DNS packets keep your Bind safe? Ben Nagy (Mar 11)
- Re: Does blocking TCP DNS packets keep your Bind safe? Luca Berra (Mar 13)
- RE: Does blocking TCP DNS packets keep your Bind safe? Todd (Mar 13)
- Re: Does blocking TCP DNS packets keep your Bind safe? Darren Reed (Mar 14)
- Re: Does blocking TCP DNS packets keep your Bind safe? Todd (Mar 14)
- Re: Does blocking TCP DNS packets keep your Bind safe? Darren Reed (Mar 14)
- RE: Does blocking TCP DNS packets keep your Bind safe? Todd (Mar 16)