[98404] in North American Network Operators' Group
Re: large organization nameservers sending icmp packets to dns servers.
daemon@ATHENA.MIT.EDU (David Conrad)
Tue Aug 7 18:43:07 2007
In-Reply-To: <20070807161508.V95791@calis.blacksun.org>
Cc: Nanog <nanog@nanog.org>
From: David Conrad <drc@virtualized.org>
Date: Tue, 7 Aug 2007 15:40:29 -0700
To: Donald Stahl <don@calis.blacksun.org>
Errors-To: owner-nanog@merit.edu
Hi,
On Aug 7, 2007, at 1:33 PM, Donald Stahl wrote:
> Can someone, anyone, please explain to me why blocking TCP 53 is
> considered such a security enhancement? It's a token gesture and
> does nothing to really help improve security. It does, however,
> cause problems.
It has been argued that it is a bit harder to download/bootstrap
shell code/arbitrary root kit through the latest BIND vulnerability
(or whatever) via a 512 UDP packet than it is through TCP.
> Someone was only too happy to point out to me that he would never
> create a record larger than 512 bytes so why should they allow TCP
> queries? The answer is simple- because they are supposed to be
> allowed.
Yep. However, as the always amusing Dr. Bernstein points out, if you
don't care about zone transfer, DNS-over-TCP is an optional part of
the standard (per RFC 1123).
> Before long it becomes impossible to implement new features because
> you can't be sure if someone else hasn't broken something
> intentionally.
Yep. And then they scream at you when you tickle their brokenness.
It sucks.
Rgds,
-drc
P.S. Note that I think blocking TCP/53 is really stupid.
