[105176] in North American Network Operators' Group
Re: DNS problems to RoadRunner - tcp vs udp
daemon@ATHENA.MIT.EDU (Justin Shore)
Fri Jun 13 16:02:56 2008
Date: Fri, 13 Jun 2008 14:59:48 -0500
From: Justin Shore <justin@justinshore.com>
To: Jon.Kibler@aset.com
In-Reply-To: <4852C1CE.2020804@aset.com>
Cc: nanog@merit.edu
Errors-To: nanog-bounces@nanog.org
Jon Kibler wrote:
> Various hardening documents for Cisco routers specify the best practices
> are to only allow 53/tcp connections to/from secondary name servers.
> Plus, from all I can tell, Cisco's 'ip inspect dns' CBAC appears to only
> handle UDP data connections and anything TCP would be denied. From what
> you are saying, the hardening recommendations are wrong and that CBAC
> may break some DNS responses. Is this correct?
A number of Cisco default from years gone by would break DSN, today, in
it's current form. Such as how PIXs and ASAs with fixup/DPI would block
udp/53 packets larger than 512 bytes, not permitting EDNS packets through.
> Also, other than "That's what the RFCs call for," why use TCP for data
> exchange instead of larger UDP packets?
