nanog mailing list archives

Re: large organization nameservers sending icmp packets to dns servers.

From: Joe Abley <jabley () ca afilias info>
Date: Wed, 8 Aug 2007 12:15:44 -0400



On 8-Aug-2007, at 11:59, Jamie Bowden wrote:

I have a question related to what you posted below, and it's a pretty
simple one:
How is answering a query on TCP/53 any MORE dangerous thananswering iton UDP/53? Really. I'd like to know how one of these securitynitwits
justifies it.  It's the SAME piece of software answering the query
either way.

There are people (I believe; this is a little rumour-laden) who takethe approach that 53/tcp is actually safer than 53/udp, since thehandshake makes it easier to believe the query's source address. Theapproach I heard about was to reply to UDP-transport queries withsome minimal answer set with TC set, and serve a more useful set ofinformation over TCP once the re-query arrives.

[I realise that the state involved in handing TCP queries on a busyserver is non-trivial, and that there are many aspects to thisapproach which deserve raised eyebrows.]

However, my point is that "TCP is more secure than UDP" also has aposse.

Joe

Current thread:

Re: Industry best practices (was Re: large organization nameservers sending icmp packets to dns servers), (continued)
- - - Re: Industry best practices (was Re: large organization nameservers sending icmp packets to dns servers) Doug Barton (Aug 09)
    - Re: Industry best practices (was Re: large organization nameservers Paul Vixie (Aug 09)
    - Re: Industry best practices (was Re: large organization nameservers Sean Donelan (Aug 11)
    - Re: large organization nameservers sending icmp packets to dns servers. Valdis . Kletnieks (Aug 07)
    - Re: large organization nameservers sending icmp packets to dns servers. Patrick W. Gilmore (Aug 07)
    - Re: large organization nameservers sending icmp packets to dns servers. Donald Stahl (Aug 07)
    - Re: large organization nameservers sending icmp packets to dns servers. Steve Gibbard (Aug 07)
    - Re: large organization nameservers sending icmp packets to dns servers. Andrew Sullivan (Aug 07)
    - RE: large organization nameservers sending icmp packets to dns servers. Jamie Bowden (Aug 08)
    - Re: large organization nameservers sending icmp packets to dns servers. Adrian Chadd (Aug 08)
    - Re: large organization nameservers sending icmp packets to dns servers. Joe Abley (Aug 08)
    - Re: large organization nameservers sending icmp packets to dns servers. David Conrad (Aug 08)
    - Re: large organization nameservers sending icmp packets to dns servers. Doug Barton (Aug 09)
    - Re: large organization nameservers sending icmp packets to dns servers. Matthew Black (Aug 10)
    - Re: large organization nameservers sending icmp packets to dns servers. Chris L. Morrow (Aug 07)
    - RE: large organization nameservers sending icmp packets to dns servers. David Schwartz (Aug 07)
    - Re: large organization nameservers sending icmp packets to dns servers. Valdis . Kletnieks (Aug 07)
    - Re: large organization nameservers sending icmp packets to dns servers. Tony Finch (Aug 08)
    - RE: large organization nameservers sending icmp packets to dns servers. william(at)elan.net (Aug 08)
    - Re: large organization nameservers sending icmp packets to dns servers. Patrick W. Gilmore (Aug 08)
    - Re: large organization nameservers sending icmp packets to dns servers. Stephane Bortzmeyer (Aug 09)

(Thread continues...)