nanog mailing list archives
Re: large organization nameservers sending icmp packets to dns servers.
From: Joe Abley <jabley () ca afilias info>
Date: Wed, 8 Aug 2007 12:15:44 -0400
On 8-Aug-2007, at 11:59, Jamie Bowden wrote:
I have a question related to what you posted below, and it's a pretty simple one:How is answering a query on TCP/53 any MORE dangerous than answering it on UDP/53? Really. I'd like to know how one of these security nitwitsjustifies it. It's the SAME piece of software answering the query either way.
There are people (I believe; this is a little rumour-laden) who take the approach that 53/tcp is actually safer than 53/udp, since the handshake makes it easier to believe the query's source address. The approach I heard about was to reply to UDP-transport queries with some minimal answer set with TC set, and serve a more useful set of information over TCP once the re-query arrives.
[I realise that the state involved in handing TCP queries on a busy server is non-trivial, and that there are many aspects to this approach which deserve raised eyebrows.]
However, my point is that "TCP is more secure than UDP" also has a posse.
Joe
Current thread:
- Re: Industry best practices (was Re: large organization nameservers sending icmp packets to dns servers), (continued)
- Re: Industry best practices (was Re: large organization nameservers sending icmp packets to dns servers) Doug Barton (Aug 09)
- Re: Industry best practices (was Re: large organization nameservers Paul Vixie (Aug 09)
- Re: Industry best practices (was Re: large organization nameservers Sean Donelan (Aug 11)
- Re: large organization nameservers sending icmp packets to dns servers. Valdis . Kletnieks (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Patrick W. Gilmore (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Donald Stahl (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Steve Gibbard (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Andrew Sullivan (Aug 07)
- RE: large organization nameservers sending icmp packets to dns servers. Jamie Bowden (Aug 08)
- Re: large organization nameservers sending icmp packets to dns servers. Adrian Chadd (Aug 08)
- Re: large organization nameservers sending icmp packets to dns servers. Joe Abley (Aug 08)
- Re: large organization nameservers sending icmp packets to dns servers. David Conrad (Aug 08)
- Re: large organization nameservers sending icmp packets to dns servers. Doug Barton (Aug 09)
- Re: large organization nameservers sending icmp packets to dns servers. Matthew Black (Aug 10)
- Re: large organization nameservers sending icmp packets to dns servers. Chris L. Morrow (Aug 07)
- RE: large organization nameservers sending icmp packets to dns servers. David Schwartz (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Valdis . Kletnieks (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Tony Finch (Aug 08)
- RE: large organization nameservers sending icmp packets to dns servers. william(at)elan.net (Aug 08)
- Re: large organization nameservers sending icmp packets to dns servers. Patrick W. Gilmore (Aug 08)
- Re: large organization nameservers sending icmp packets to dns servers. Stephane Bortzmeyer (Aug 09)