nanog mailing list archives

Re: large organization nameservers sending icmp packets to dns servers.

From: David Conrad <drc () virtualized org>
Date: Wed, 8 Aug 2007 09:38:28 -0700


On Aug 8, 2007, at 8:59 AM, Jamie Bowden wrote:

How is answering a query on TCP/53 any MORE dangerous thananswering iton UDP/53? Really. I'd like to know how one of these securitynitwits
justifies it.  It's the SAME piece of software answering the query
either way.


How many bytes of shell code can you stuff in a 512 byte DNS UDP packet?

How many bytes of shell code can you stuff in a TCP DNS connection?

Rgds,
-drc

P.S. I still think blocking TCP/53 is stupid.

Current thread:

Re: Industry best practices (was Re: large organization nameservers, (continued)
- - - Re: Industry best practices (was Re: large organization nameservers Paul Vixie (Aug 09)
    - Re: Industry best practices (was Re: large organization nameservers Sean Donelan (Aug 11)
    - Re: large organization nameservers sending icmp packets to dns servers. Valdis . Kletnieks (Aug 07)
    - Re: large organization nameservers sending icmp packets to dns servers. Patrick W. Gilmore (Aug 07)
    - Re: large organization nameservers sending icmp packets to dns servers. Donald Stahl (Aug 07)
    - Re: large organization nameservers sending icmp packets to dns servers. Steve Gibbard (Aug 07)
    - Re: large organization nameservers sending icmp packets to dns servers. Andrew Sullivan (Aug 07)
    - RE: large organization nameservers sending icmp packets to dns servers. Jamie Bowden (Aug 08)
    - Re: large organization nameservers sending icmp packets to dns servers. Adrian Chadd (Aug 08)
    - Re: large organization nameservers sending icmp packets to dns servers. Joe Abley (Aug 08)
    - Re: large organization nameservers sending icmp packets to dns servers. David Conrad (Aug 08)
    - Re: large organization nameservers sending icmp packets to dns servers. Doug Barton (Aug 09)
    - Re: large organization nameservers sending icmp packets to dns servers. Matthew Black (Aug 10)
    - Re: large organization nameservers sending icmp packets to dns servers. Chris L. Morrow (Aug 07)
    - RE: large organization nameservers sending icmp packets to dns servers. David Schwartz (Aug 07)
    - Re: large organization nameservers sending icmp packets to dns servers. Valdis . Kletnieks (Aug 07)
    - Re: large organization nameservers sending icmp packets to dns servers. Tony Finch (Aug 08)
    - RE: large organization nameservers sending icmp packets to dns servers. william(at)elan.net (Aug 08)
    - Re: large organization nameservers sending icmp packets to dns servers. Patrick W. Gilmore (Aug 08)
    - Re: large organization nameservers sending icmp packets to dns servers. Stephane Bortzmeyer (Aug 09)
    - Re: large organization nameservers sending icmp packets to dns servers. Chris L. Morrow (Aug 10)

(Thread continues...)