Re: Snort 2.0.4 CPU Utilization\Optimization

["Jason Haar" <Jason.Haar () trimble co nz>]

Matt Kettler said:
> DNS can be done over TCP as well as UDP, although TCP is much less
> common  most DNS servers support both. Usually TCP is only used for
> larger queries  like large zone transfers.

DNS zone transfers are *exclusively* done over TCP - never UDP. If you
don't need zone transfers, and know that your DNS records are non-complex
(no chaining CNAMEs, only a few MX records/etc), then in fact no-one even
needs to do TCP-based DNS queries off you either. TCP is only used for
large answers (I think the DNS server gives a partial answer over UDP, and
then the client re-tries the same query over TCP, where they receive the
full answer. TCP of course is reliable - so is used for large answers and
zone transfers).
For years I have been running our DMZ DNS servers as UDP-only (i.e.
firewall allows UDP port 53 only), and no-one has any issues doing DNS
lookups against us. Obviously I still have to allow our DNS caching
servers to do both TCP and UDP outbound - as there are some records that
are too large for UDP - so TCP is used. (getting a bit OT here ;-)

> It's also a preferred connection method when exploiting DNS servers,
> since  it's easier to get a shell on a two-way connection.

Yup - that's why it was really nice to drop it all together :-)

Jason






-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users