[98425] in North American Network Operators' Group


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: large organization nameservers sending icmp packets to dns servers.

daemon@ATHENA.MIT.EDU (David Conrad)
Wed Aug 8 12:54:11 2007

In-Reply-To: <70EC72941042AA48ABE651C40408D9C985DE@hal.photon.com>
Cc: Nanog <nanog@nanog.org>
From: David Conrad <drc@virtualized.org>
Date: Wed, 8 Aug 2007 09:38:28 -0700
To: Jamie Bowden <jamie@photon.com>
Errors-To: owner-nanog@merit.edu


On Aug 8, 2007, at 8:59 AM, Jamie Bowden wrote:
> How is answering a query on TCP/53 any MORE dangerous than  
> answering it
> on UDP/53?  Really.  I'd like to know how one of these security  
> nitwits
> justifies it.  It's the SAME piece of software answering the query
> either way.

How many bytes of shell code can you stuff in a 512 byte DNS UDP packet?

How many bytes of shell code can you stuff in a TCP DNS connection?

Rgds,
-drc

P.S. I still think blocking TCP/53 is stupid.


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[98425] in North American Network Operators' Group

Re: large organization nameservers sending icmp packets to dns servers.

daemon@ATHENA.MIT.EDU (David Conrad)Wed Aug 8 12:54:11 2007

daemon@ATHENA.MIT.EDU (David Conrad)
Wed Aug 8 12:54:11 2007