nanog mailing list archives

Re: DNS problems to RoadRunner - tcp vs udp

From: Scott McGrath <mcgrath () fas harvard edu>
Date: Sat, 14 Jun 2008 16:40:10 -0400

Not to toss flammables onto the pyre.BUT there is a large difference from what the RFC's allow and commonpractice. In our shop TCP is blocked to all but authoratativesecondaries as TCP is sinply too easy to DoS a DNS server with. Wesimply don't need a few thousand drones clogging the TCP connectiontable all trying to do zone transfers ( yes it happened and logs showdrones are still trying )


For a long time there has been a effective practice of

UDP == resolution requests
TCP == zone transfers

It would have been better if a separate port had been defined for zonetransfers as that would obviate the need for a application layer gatewayto allow TCP transfers so that zone transfers can be blocked andresolution requests allowed for now all TCP is blocked.

Now just because someone has a bright idea they drag out a 20 y/o RFCand say SEE, SEE you must allow this because the RFC says so all thewhile ignoring the 20 years of operational disciplinethat RFC was written when the internet was like the quad at collegeeveryone knew one and other and we were all working towards a commongoal of interoperability and open systems , These days the net is morelike a seedy waterfront after midnight where criminal gangs are waitingto ambush the unwary and consequently networks need to be operated fromthat standpoint.

At the University networking level it is extremely difficult as we needto maintain a open network as much as possible but protect ourinfrastructure services so that they have 5 nines of availabilityback in the day a few small hosts would serve DNS nicely and we did nothave people trying to take them down and/or infecting local hosts andattempting DHCP starvation attacks. And no we are not at the 5 nineslevel but we are working on it.



- Scott


Randy Bush wrote:

If my server responded to TCP queries from anyone other than a secondary
server, I would be VERY concerned.


you may want to read the specs

randy

Current thread:

Re: DNS problems to RoadRunner - tcp vs udp, (continued)
- - - Re: DNS problems to RoadRunner - tcp vs udp Justin Shore (Jun 13)
    - Re: DNS problems to RoadRunner - tcp vs udp Justin Shore (Jun 13)
    - Re: DNS problems to RoadRunner - tcp vs udp Robert E. Seastrom (Jun 14)
    - Re: DNS problems to RoadRunner - tcp vs udp Simon Leinen (Jun 14)
    - Re: DNS problems to RoadRunner - tcp vs udp Randy Bush (Jun 14)
  - Re: DNS problems to RoadRunner - tcp vs udp Bill Owens (Jun 13)
    - Re: DNS problems to RoadRunner - tcp vs udp Jon Kibler (Jun 13)
  - Re: DNS problems to RoadRunner - tcp vs udp Tony Rall (Jun 13)
  - Re: DNS problems to RoadRunner - tcp vs udp John Kristoff (Jun 13)
  - Re: DNS problems to RoadRunner - tcp vs udp Randy Bush (Jun 13)
    - Re: DNS problems to RoadRunner - tcp vs udp Scott McGrath (Jun 14)
    - Re: DNS problems to RoadRunner - tcp vs udp Jeroen Massar (Jun 14)
    - Re: DNS problems to RoadRunner - tcp vs udp Scott McGrath (Jun 14)
    - Re: DNS problems to RoadRunner - tcp vs udp Jeroen Massar (Jun 14)
    - Re: DNS problems to RoadRunner - tcp vs udp Sean Donelan (Jun 14)
    - Re: DNS problems to RoadRunner - tcp vs udp Mike Lewinski (Jun 14)
    - Re: DNS problems to RoadRunner - tcp vs udp Nathan Ward (Jun 14)
    - Re: DNS problems to RoadRunner - tcp vs udp Mark Andrews (Jun 15)
    - Re: DNS problems to RoadRunner - tcp vs udp Michael Sinatra (Jun 15)
    - Re: DNS problems to RoadRunner - tcp vs udp Florian Weimer (Jun 15)
    - Re: DNS problems to RoadRunner - tcp vs udp Nathan Ward (Jun 14)

(Thread continues...)