tcp limitations

[Guy Pazi]

Hi Simon,
Thanks for your answer,

> Guy Pazi wrote:
> >
> > I am interested in blocking udp traffic, including dns udp queries and
> > replies, using a firewall.
>
> Sounds sensible, amazes me that some firewalls ship allowing
> all UDP packets through!
>
> > My question is, what bind versions allow tcp queries not preceded by
> > truncated udp queries (actually, not preceded by udp queries at all).

I'm afraid I didn't explain myself clearly (maybe because I wasn't sure of
the problem).
what I meant was, do bind servers allow regular queries, besides zone
transfer, to be accepted over tcp, without first being queried over udp.
I.e. do name servers REQUIRES an initial udp query to be first truncated
before it will allow a matching tcp query, or do they accept tcp queries
without questioning? And how common is it out there, to have name servers
that don't answer any tcp (non-zone-transfer) queries at all?

What worries me, are the limitations (memory/socket/cpu) of the name server,
for tcp traffic. A name server is probably somehow blocked, (or otherwise
overloaded quite fast) for a certain number of concurrent tcp connections.
When reaching that point, I will not be able to get dns services.
Blocking all udp traffic is critical for our company, so leaving it open in
the firewall is not an option.
Changing the network structure is impossible as well.
What's left is to minimize dns queries (all tcp). But how much is acceptable
in ratio with udp queries?

>
> AFAIK all BIND versions do zone transfer with TCP only,
> otherwise I understood the request was sent, and if the
> response exceeds a certain side (version dependent) the
> response is truncated. Different DNS servers handle
> truncating differently, some truncate immediately, some at
> the last complete record.
>
> DJB discussed this on his web site (http://cr.yp.to) as his
> DNS program works slightly differently to BIND.
>
> The situation is changing in the general case, as BIND
> packets are getting larger due to protocol changes.
>
> > I've experienced some problems with that but couldn't really
> put my finger
> > on the whens and whats.
>
> Depends what your trying to do to filter queries.
>
> Whilst some firewalls have stateful handling of DNS queries
> as a prepared "services" you can enable, if you lack this
> I'd stick to the simple - allow outgoing TCP and UDP to port
> 53 on your chosen nameservers. Obviously what you allow
> these queries from (all clients, or just web proxy servers
> and mail servers) or the more complicated case where you run
> your own nameservers, will depend on your business
> requirements and security needs.
>
> --
> Simon Waters
> Are you using the Internet to best effect ?
> www.eighth-layer.com
> Tel: +44(0)1395 232769      ICQ: 116952768
> Moderated discussion of teleworking issues at
> news:uk.business.telework
>
>