[98423] in North American Network Operators' Group
Re: large organization nameservers sending icmp packets to dns servers.
daemon@ATHENA.MIT.EDU (Joe Abley)
Wed Aug 8 12:40:32 2007
In-Reply-To: <70EC72941042AA48ABE651C40408D9C985DE@hal.photon.com>
Cc: "Steve Gibbard" <scg@gibbard.org>, "Nanog" <nanog@nanog.org>
From: Joe Abley <jabley@ca.afilias.info>
Date: Wed, 8 Aug 2007 12:15:44 -0400
To: Jamie Bowden <jamie@photon.com>
Errors-To: owner-nanog@merit.edu
On 8-Aug-2007, at 11:59, Jamie Bowden wrote:
> I have a question related to what you posted below, and it's a pretty
> simple one:
>
> How is answering a query on TCP/53 any MORE dangerous than
> answering it
> on UDP/53? Really. I'd like to know how one of these security
> nitwits
> justifies it. It's the SAME piece of software answering the query
> either way.
There are people (I believe; this is a little rumour-laden) who take
the approach that 53/tcp is actually safer than 53/udp, since the
handshake makes it easier to believe the query's source address. The
approach I heard about was to reply to UDP-transport queries with
some minimal answer set with TC set, and serve a more useful set of
information over TCP once the re-query arrives.
[I realise that the state involved in handing TCP queries on a busy
server is non-trivial, and that there are many aspects to this
approach which deserve raised eyebrows.]
However, my point is that "TCP is more secure than UDP" also has a
posse.
Joe
