[80282] in North American Network Operators' Group
Re: using TCP53 for DNS
daemon@ATHENA.MIT.EDU (Nils Ketelsen)
Thu Apr 28 03:26:31 2005
Date: Thu, 28 Apr 2005 09:25:47 +0200
From: Nils Ketelsen <nils.ketelsen@kuehne-nagel.com>
To: nanog@merit.edu
In-Reply-To: <CEE26A72-6288-46E9-9499-386F3277B442@ianai.net>
Errors-To: owner-nanog@merit.edu
Patrick W. Gilmore wrote:
> In the thread about ns*.worldnic.com, many people were complaining
> about DNS responses/queries on TCP port 53.
>
> At least one DoS mitigation box uses TCP53 to "protect" name servers.
> Personally I thought this was a pretty slick trick, but it appears to
> have caused a lot of problems. From the thread (certainly not a
> scientific sampling), many people seem to be filtering port 53 TCP to
> their name servers.
I know that many people to block 53/TCP to their nameservers or from
their resolvers. Firewall configs are widely based on rumours ("I've
heard DNS runs on UDP/53"), not based on protocol definitions. The
problem is, that blocking TCP/53 outgoing from your resolver will work
in 99% (wild guess) of all cases and therefore if it does not work for
resolving manyrecords.example.com it obiviously is the fault of
example.com.
Many "security experts" believe that 53/TCP is only used for zone
transfers.
Nils
