Great Circle Associates Firewalls
(April 1993) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: DNS over TCP
From: avalon @ coombs . anu . edu . au (Darren Reed)
Date: Mon, 19 Apr 93 1:38:03 EST
To: firewalls @ GreatCircle . COM (Firewall Mailing List)
Reply-to: avalon @ coombs . anu . edu . au 
People have said that they block all UDP packets bar those from and to
port 53 (the port assigned to DNS and used by nameservers).

Isn't there some motivation here to try to get a universal block on UDP
and move the DNS requests to be handled by TCP connects ?  BIND 4.8.3
supports it (RES_USEVC in resolv.h) and it is assigned:

domain          53/tcp          nameserver      # name-domain server
domain          53/udp          nameserver

so why not ?  Are DNS transactions light weight enough to make requiring
TCP an overkill ?  What if the TCP connection were kept open during the
life of the namesrver rather than on a per-request basis ?

Darren
Follow-Ups:
  • Re: DNS over TCP
    From: "Louis A. Mamakos" <louie @ NI . umd . edu>
  • Re: DNS over TCP
    From: Christophe Wolfhugel <Christophe . Wolfhugel @ grasp . insa-lyon . fr>
Indexed By Date Previous: ISOC Symposium on Network and Distributed System Security
From: shirey @ mitre . org (Robert W. Shirey)
Next: Re: DNS over TCP
From: Christophe Wolfhugel <Christophe . Wolfhugel @ grasp . insa-lyon . fr>
Indexed By Thread Previous: ISOC Symposium on Network and Distributed System Security
From: shirey @ mitre . org (Robert W. Shirey)
Next: Re: DNS over TCP
From: Christophe Wolfhugel <Christophe . Wolfhugel @ grasp . insa-lyon . fr>
Google
 
Search Internet Search www.greatcircle.com